Password complexity rules: what should IAM teams change now?

TL;DR: Composition-based password rules measure character variety, not real resistance to brute force or credential stuffing, and NIST 800-63B has treated them as an outdated proxy since 2017 according to Avatier. The security case now belongs to length, breach-corpus exclusion, and runtime policy enforcement, because calendar rotation and predictable transforms keep producing the same weak patterns.

NHIMG editorial — based on content published by Avatier: Password complexity debate in 2026

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams implement stronger password policy without relying on complexity rules?

A: Use runtime enforcement instead of composition-only checks.

Q: Why do complexity rules fail to improve password security in practice?

A: Because they measure visible character variety rather than attacker resistance.

Q: What breaks when password rotation is based on the calendar instead of risk events?

A: Calendar rotation creates unnecessary churn while missing the moments that actually change risk, such as leaked credentials, anomalous access, role changes, and offboarding.

Practitioner guidance

• Audit every credential creation path Map user self-service resets, helpdesk resets, API provisioning, password imports, and legacy application stores.
• Replace complexity checks with breach-corpus screening Reject credentials that appear in known leaked-password datasets and block common predictable transforms such as seasonal suffixes and symbol substitutions.
• Tie rotation to identity events Trigger password rotation on breach exposure, anomalous access, role changes that cross privilege boundaries, and offboarding.

What's in the full article

Avatier's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step credential firewall design across self-service reset, helpdesk reset, and API-driven provisioning paths
• The runtime checks used to block breached passwords, predictable transforms, and contextual guesses before storage
• The event-triggered rotation workflow tied to breach exposure, role changes, and offboarding
• The implementation sequence for integrating password policy with lifecycle management and legacy directories

👉 Read Avatier's analysis of password strength versus complexity in 2026 →

Password complexity rules: what should IAM teams change now?

Explore further

View Full Forum →  |  NHI Foundation Course →