TL;DR: Composition-based password rules measure character variety, not real resistance to brute force or credential stuffing, and NIST 800-63B has treated them as an outdated proxy since 2017 according to Avatier. The security case now belongs to length, breach-corpus exclusion, and runtime policy enforcement, because calendar rotation and predictable transforms keep producing the same weak patterns.
At a glance
What this is: This is an independent analysis of why password complexity rules no longer reflect real password strength and why runtime enforcement matters more than composition checks.
Why it matters: It matters because IAM, PAM, NHI, and lifecycle teams all inherit the same control failure when policy measures compliance-looking passwords instead of attacker-resistant ones.
By the numbers:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
👉 Read Avatier's analysis of password strength versus complexity in 2026
Context
Password complexity rules are a weak proxy for password strength because they reward character variety instead of resistance to real attack methods. In 2026, the primary problem is not whether a password contains uppercase letters, numbers, and symbols, but whether the credential can survive credential stuffing, breach-corpus replay, and predictable user behaviour.
That distinction matters across IAM and lifecycle programmes because the same policy failure shows up in self-service resets, helpdesk resets, provisioning flows, and rotation programmes. When policy optimises for compliance theatre, it can create passwords that look secure on paper while becoming easier for attackers to guess or reuse in practice.
The result is a control architecture problem, not a user education problem. Enterprises need runtime enforcement, breach-corpus checks, and lifecycle-linked rotation if they want actual strength instead of checkbox conformity.
Key questions
Q: How should security teams implement stronger password policy without relying on complexity rules?
A: Use runtime enforcement instead of composition-only checks. Require long passwords, screen against breach corpora, reject predictable transforms, and apply the same policy at every credential creation point. The goal is to stop weak secrets before they reach the directory, not to score them after the fact.
Q: Why do complexity rules fail to improve password security in practice?
A: Because they measure visible character variety rather than attacker resistance. Users respond by creating predictable patterns, reusing credentials, or choosing memorable but weak structures. That means the policy can look strict while still allowing passwords that are easy to guess or already known to attackers.
Q: What breaks when password rotation is based on the calendar instead of risk events?
A: Calendar rotation creates unnecessary churn while missing the moments that actually change risk, such as leaked credentials, anomalous access, role changes, and offboarding. It also encourages incremental password changes that preserve predictable structure. Event-triggered rotation is more defensible and more aligned to IAM governance.
Q: Who is accountable when password policy allows predictable or reused credentials?
A: IAM and security owners are accountable because the control design failed to stop known-bad inputs at creation time. If policy still permits weak but compliant-looking passwords, the issue is governance, not user behaviour. Organisations should align the policy with NIST SP 800-63B and lifecycle controls.
Technical breakdown
Why composition rules fail as a strength signal
Composition rules measure whether a password includes certain character classes, not whether an attacker can realistically guess it. A credential such as P@ssw0rd!123 can satisfy every common rule and still sit in attacker wordlists, while a long passphrase with ordinary words can be far harder to crack. The weakness is structural: policy rewards visible variety, not entropy, uniqueness, or resistance to known attack patterns. Practical implication: stop treating character-class checks as a security outcome and treat them only as one narrow input to stronger policy enforcement.
Practical implication: replace composition-only policy with strength controls that evaluate entropy, reuse, and known-bad patterns.
Credential firewall enforcement at every creation point
A credential firewall is runtime enforcement that checks candidate passwords before they reach the identity store. The important detail is coverage: it must fire at every creation path, including user reset, helpdesk reset, API-driven provisioning, and password import. If even one path bypasses the firewall, non-compliant credentials still enter the environment and the policy fails at design level. Practical implication: audit every password creation and reset path, then enforce the same strength logic everywhere.
Practical implication: verify that no reset, provisioning, or migration path bypasses runtime password checks.
Event-triggered rotation is stronger than calendar rotation
Calendar-based rotation assumes time, not risk, is the right trigger for change. Event-triggered rotation instead uses breach exposure, anomalous access, privilege changes, and offboarding to decide when credentials should be replaced. That shift reduces unnecessary churn while focusing effort on actual exposure points. It also aligns password governance with lifecycle reality, especially where a changed role or leaked credential creates a real risk signal. Practical implication: replace fixed 90-day rotation with trigger-based rotation tied to identity and threat events.
Practical implication: connect rotation policy to breach, anomaly, role-change, and offboarding events instead of elapsed time.
NHI Mgmt Group analysis
Composition-based password policy is a compliance artifact, not a strength model. The industry kept a 1990s control because it was easy to audit, not because it mapped to attacker behaviour. That assumption failed once attackers started exploiting breach corpora, predictable transforms, and credential stuffing at scale. The implication is that password governance cannot be judged by policy wording alone; it must be measured by whether the policy blocks known attacker input patterns.
Runtime enforcement is the real control boundary for password strength. Password strength is only meaningful if the identity stack can reject weak credentials before they are issued, regardless of where the change originates. That is why the credential firewall is the architectural concept that matters here. It closes the gap between policy intent and actual credential creation, which is where most programmes quietly fail.
Length, uniqueness, and unpredictability should replace composition as the design centre. NIST SP 800-63B has already shifted the standard away from composition rules and toward long, memorable, user-chosen secrets with better screening. This is not a usability concession; it is an attacker-model correction. Practitioners should fund controls that block reuse and predictable transforms rather than chasing mixed-case theatre.
Event-driven lifecycle governance is where password policy becomes operationally credible. Rotation that happens only because a calendar says so creates churn without context. When password changes are tied to breach exposure, role changes, and offboarding, the policy reflects actual risk and the rest of the IAM programme can rely on it. Practitioners should align password policy with lifecycle events instead of treating it as a standalone hygiene rule.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- For a broader identity baseline, read Ultimate Guide to NHIs , Key Challenges and Risks for how sprawl, over-privilege, and unmanaged credentials compound policy gaps.
What this signals
Strength policy should be treated as a runtime control, not a password-format preference. The governance signal here is that enterprises cannot rely on user education or static complexity rules once attackers are operating from breach corpora and predictable-transform logic. That is why runtime screening, lifecycle triggers, and breach-corpus checks belong in the same control plane as IAM policy, not in separate hygiene programmes.
Credential governance and secrets governance are converging. A team that still treats passwords as a human-only problem will miss the same failure pattern in service accounts, tokens, and API keys. The practical shift is to unify identity review, reset, and revocation processes so that weak secret creation is blocked wherever an identity can be issued or changed.
The broader signal for security leaders is that compliance evidence is losing value unless it can be tied to attack-resistant behaviour. If a control produces fewer support calls but still allows breached or predictable credentials, the programme has improved convenience without improving exposure. In that sense, the architecture problem is now the governance problem.
For practitioners
- Audit every credential creation path Map user self-service resets, helpdesk resets, API provisioning, password imports, and legacy application stores. Apply the same runtime strength checks to each path so no non-compliant password can bypass the control surface.
- Replace complexity checks with breach-corpus screening Reject credentials that appear in known leaked-password datasets and block common predictable transforms such as seasonal suffixes and symbol substitutions. This prevents compliant-looking passwords from entering the directory.
- Tie rotation to identity events Trigger password rotation on breach exposure, anomalous access, role changes that cross privilege boundaries, and offboarding. Use elapsed time only as a reporting metric, not as the security trigger.
- Integrate password policy with lifecycle management Make joiner, mover, and leaver events drive the same password governance logic across workforce, admin, and shared credentials. The control should follow the identity, not the calendar.
Key takeaways
- Complexity rules fail because they measure character variety rather than attacker resistance, which makes them a poor proxy for actual password strength.
- Runtime credential screening, breach-corpus checks, and lifecycle-linked rotation are the controls that change outcomes, not calendar-based complexity theatre.
- IAM and security leaders should treat password governance as an operational control plane, because weak policy can create compliant-looking credentials that are still easy to attack.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | The article centers on NIST 800-63B guidance that rejects composition-based complexity rules. | |
| NIST CSF 2.0 | PR.AC-1 | Credential policy is an access control issue and belongs in the protect function. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Runtime enforcement and least privilege both depend on continuous access validation. |
Align password policy with NIST 800-63B by prioritising length, screening, and phishing-resistant options.
Key terms
- Credential Firewall: A credential firewall is a runtime control that inspects and blocks weak passwords before they are issued or stored. It enforces strength policy at every creation point, which is more effective than relying on users to follow composition rules or remember fixed rotation schedules.
- Breach-Corpus Screening: Breach-corpus screening compares a proposed password against large collections of known leaked credentials. If the candidate already appears in attacker wordlists, the system rejects it. This prevents known-bad secrets from being accepted just because they satisfy a local password policy.
- Event-Triggered Rotation: Event-triggered rotation replaces fixed calendar changes with rotation driven by real risk signals such as leaked-password exposure, unusual activity, role change, or offboarding. It makes password governance responsive to identity events instead of forcing routine changes that often reduce security quality.
- Composition Rule: A composition rule is a password policy that requires certain character types, such as uppercase letters, numbers, or symbols. It is easy to audit but weak as a security measure because it measures format, not actual resistance to guessing or reuse.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by Avatier: Password complexity debate in 2026. Read the original.
Published by the NHIMG editorial team on 2025-12-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
