Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password complexity rules in 2026: what IAM teams should change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Password composition rules measure character variety, not actual resistance to cracking or credential stuffing, and they keep producing predictable patterns and helpdesk burden, according to Avatier. The real control is runtime strength enforcement with breach-corpus checks, length, and event-triggered rotation, not 90-day complexity theater.

NHIMG editorial — based on content published by Avatier: password complexity in 2026 and the case for strength-based governance

Questions worth separating out

Q: How should security teams implement password policy without relying on composition rules?

A: Use length, uniqueness, and breached-password screening as the primary acceptance tests, then enforce them at every password creation point.

Q: Why do composition-based password rules fail in practice?

A: They reward predictable user behaviour.

Q: When should organisations prioritise password length over composition complexity?

A: Always, if the goal is actual resistance to cracking.

Practitioner guidance

  • Audit every credential creation path Map user self-service, helpdesk resets, API provisioning, import jobs, and legacy application writes to confirm that the same password acceptance logic applies everywhere.
  • Enforce breached-password screening at runtime Reject credentials that appear in breach corpora before they are stored, and apply the check on every reset and provisioning path, not only at the user portal.
  • Replace calendar rotation with event-driven rotation Rotate credentials when exposure, anomalous activity, role change, or offboarding changes the risk profile, and stop treating 90-day rotation as a security outcome.

What's in the full article

Avatier's full article covers the operational detail this post intentionally leaves for the source:

  • The specific credential-firewall pattern for user self-service, helpdesk reset, and API-driven provisioning paths.
  • The step-by-step sequence for replacing 90-day rotation with event-triggered rotation.
  • The implementation discussion around breached-password screening and how it fits into existing identity workflows.
  • The product-specific handling of lifecycle integration and policy enforcement across mixed identity environments.

👉 Read Avatier's analysis of password complexity versus strength in 2026 →

Password complexity rules in 2026: what IAM teams should change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Composition-based password policy is a compliance proxy, not a security control. The article is right to separate visible complexity from actual strength, because attackers optimise against predictable character substitutions and password corpora, not policy checklists. The deeper governance failure is that many enterprises still treat compliance-friendly password shape as evidence of resilience. Practitioners should stop equating audit pass conditions with attack resistance.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.

A question worth separating out:

Q: What is the difference between password complexity and password strength?

A: Complexity is a visible formatting rule. Strength is the real difficulty of guessing or cracking the credential. A password can satisfy every complexity requirement and still be weak if it is short, reused, or derived from common patterns. Strength is measured by attack resistance, not by the presence of special characters.

👉 Read our full editorial: Password complexity rules are failing enterprise IAM in 2026



   
ReplyQuote
Share: