Notifications
Clear all
Topic starter
24/06/2026 7:01 pm
TL;DR: Password policies are being re-examined because minimum length, forced rotation, and complexity rules can create more friction than protection when they are not tied to real threat models, according to Netwrix. The practical question is not whether to keep passwords, but which controls still reduce risk without undermining identity security.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams decide whether password rotation still makes sense?
A: Security teams should keep password rotation only where there is a clear compromise or exposure signal, not as a routine calendar event.
Q: Why do password complexity rules often fail in practice?
A: Password complexity rules often fail because they change user behaviour more than attacker economics.
Practitioner guidance
- Reassess complexity rules against real compromise patterns Remove password composition requirements that mainly drive predictable user behaviour, and compare them against actual helpdesk resets, reuse patterns, and account takeover incidents.
- Replace calendar-driven rotation with risk-driven change triggers Use forced password changes only when compromise, exposure, or privilege change warrants them, rather than on a fixed schedule that encourages minor edits.
- Review password policy alongside privileged access governance Check whether shared admin accounts, emergency accounts, and recovery workflows still depend on weak human-managed passwords that bypass normal lifecycle controls.
What to expect at the briefing
Netwrix's full webinar covers the operational detail this post intentionally leaves for the source:
- Side-by-side discussion of minimum length, complexity, and rotation rules for current password policy design
- Expert walkthrough of where password rules create friction without improving security outcomes
- Practical guidance on aligning password policy with privileged access and lifecycle controls
👉 Watch Netwrix's on-demand webinar on password policy and security →
Password policy benchmarks under pressure, are your controls keeping up?
Explore further
25/06/2026 4:06 am
Password policy is now a governance question, not a standalone authentication rule. The article reflects a broader shift in identity programmes: password controls only make sense when they are tied to actual attack paths, user behaviour, and recovery processes. Complexity and rotation rules can look rigorous while failing to improve security outcomes. Practitioners should treat password policy as one component of human IAM, not as proof of control maturity.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to the same guide.
A question worth separating out:
Q: How do password policies affect privileged access governance?
A: Password policies affect privileged access because admin, break-glass, and shared accounts often depend on human-managed credentials. If those accounts are not governed through lifecycle review, offboarding, and stronger session controls, a strong password alone is not enough. Privileged access should be managed as a separate risk tier, not blended into standard user policy.
👉 Read our full editorial: Password policy benchmarks are under pressure in modern security programmes
