Password complexity rules in 2026: what IAM teams should change

TL;DR: Password composition rules measure character variety, not actual resistance to cracking or credential stuffing, and they keep producing predictable patterns and helpdesk burden, according to Avatier. The real control is runtime strength enforcement with breach-corpus checks, length, and event-triggered rotation, not 90-day complexity theater.

NHIMG editorial — based on content published by Avatier: password complexity in 2026 and the case for strength-based governance

Questions worth separating out

Q: How should security teams implement password policy without relying on composition rules?

A: Use length, uniqueness, and breached-password screening as the primary acceptance tests, then enforce them at every password creation point.

Q: Why do composition-based password rules fail in practice?

A: They reward predictable user behaviour.

Q: When should organisations prioritise password length over composition complexity?

A: Always, if the goal is actual resistance to cracking.

Practitioner guidance

• Audit every credential creation path Map user self-service, helpdesk resets, API provisioning, import jobs, and legacy application writes to confirm that the same password acceptance logic applies everywhere.
• Enforce breached-password screening at runtime Reject credentials that appear in breach corpora before they are stored, and apply the check on every reset and provisioning path, not only at the user portal.
• Replace calendar rotation with event-driven rotation Rotate credentials when exposure, anomalous activity, role change, or offboarding changes the risk profile, and stop treating 90-day rotation as a security outcome.

What's in the full article

Avatier's full article covers the operational detail this post intentionally leaves for the source:

• The specific credential-firewall pattern for user self-service, helpdesk reset, and API-driven provisioning paths.
• The step-by-step sequence for replacing 90-day rotation with event-triggered rotation.
• The implementation discussion around breached-password screening and how it fits into existing identity workflows.
• The product-specific handling of lifecycle integration and policy enforcement across mixed identity environments.

👉 Read Avatier's analysis of password complexity versus strength in 2026 →

Password complexity rules in 2026: what IAM teams should change?

Explore further

View Full Forum →  |  NHI Foundation Course →