Focus on longer unique passwords, password managers, and MFA rather than constant complexity changes. Good password security works when users can actually follow it, so design the control set around memorability, reuse prevention, and phishing resistance. The goal is to reduce compromise likelihood without turning authentication into a daily obstacle.
Why This Matters for Security Teams
Password policy is still one of the most visible parts of security, which is why it often becomes a friction point long before it becomes an effective control. Current guidance from the NIST Cybersecurity Framework 2.0 and modern identity practice points away from forced complexity resets and toward controls that actually reduce takeover risk: unique passwords, password managers, and phishing-resistant MFA. That shift matters because users do not fail policy in a vacuum; they fail it when memorisation, reuse, and constant rotation create workarounds.
For security teams, the real goal is to remove predictable human shortcuts without weakening authentication assurance. If the policy drives users to write passwords down, reuse them across systems, or bypass MFA prompts in frustration, the organisation ends up with a control that looks strong on paper and fails under pressure. The same lesson appears across broader identity research: the Ultimate Guide to NHIs shows how weak lifecycle discipline and poor visibility turn identity controls into operational debt, not protection. In practice, many security teams encounter password reuse and MFA fatigue only after an account takeover has already been investigated, rather than through intentional policy design.
How It Works in Practice
Improving password security without increasing misery starts with a simple principle: optimise for usability where it improves security, and reserve strictness for the places that matter most. Long, unique passwords are easier for users to maintain when a password manager generates and stores them, so policy should support managers rather than fighting them. That means allowing longer passphrases, discouraging arbitrary complexity rules, and eliminating routine password expiry unless there is evidence of compromise or another specific risk trigger.
From there, add layered protection around the password rather than making the password do everything. Phishing-resistant MFA, such as security keys or passkeys where feasible, raises the cost of credential theft far more than forcing users to remember special characters. This aligns with the identity guidance embedded in The State of Non-Human Identity Security, which highlights how credential weaknesses become attack paths when visibility and rotation are poor. Even though that research focuses on NHIs, the operational lesson carries over: identity security improves when the organisation reduces long-lived secrets and makes compromise less reusable.
- Set minimum length over complexity rules, and allow passphrases.
- Require unique passwords, supported by approved password managers.
- Use MFA that resists phishing, not just one-time codes alone.
- Trigger resets on suspicious activity, not on arbitrary schedules.
- Monitor for reuse, compromise, and anomalous sign-in behaviour.
Implementation works best when password policy is paired with sensible exception handling, clear user guidance, and frictionless self-service recovery. These controls tend to break down in hybrid workforces with legacy applications because older systems still enforce brittle password rules and cannot support modern MFA cleanly.
Common Variations and Edge Cases
Tighter authentication controls often increase support burden at first, requiring organisations to balance stronger protection against login friction and helpdesk load. That tradeoff is real, especially in regulated environments, shared-device scenarios, and systems that cannot yet support modern MFA or passwordless options. Best practice is evolving here, and there is no universal standard for every application estate.
Legacy applications are the most common exception. If an application cannot accept long passphrases, federated login, or phishing-resistant MFA, security teams may need compensating controls such as network restrictions, session monitoring, or stronger account governance until the application can be modernised. Shared accounts and service accounts should not be treated like user passwords at all; they need separate NHI controls, secret rotation, and ownership discipline rather than human password policy. The broader NHI lifecycle guidance in the Ultimate Guide to NHIs is useful here because it shows how identity controls fail when ownership and rotation are unclear.
For high-risk roles, step-up authentication and tighter session controls are often better than universal hardening that affects everyone. The practical test is whether the control reduces compromise without pushing users toward workarounds. Where that balance is not achieved, the policy is usually too rigid for the environment rather than too weak for the threat.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and authentication support usable, stronger login controls. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Password reuse and weak secret handling mirror NHI secret lifecycle failures. |
| NIST AI RMF | The govern and manage functions support risk-based, user-friendly security decisions. |
Use phishing-resistant MFA and unique passphrases to raise assurance without adding routine password resets.
Related resources from NHI Mgmt Group
- How should security teams detect password sharing without blocking legitimate users?
- How should security teams authenticate AI agents in enterprise environments?
- How should security teams implement Client ID Metadata Documents?
- How should security teams implement continuous identity without over-reauthenticating users?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
