How should security teams build password policy that resists real attacks?

Why This Matters for Security Teams

Passwords still fail in the same places attackers look first: reuse, weak screening, and slow human response after compromise. Security teams often spend too much effort on composition rules and periodic rotation, even though those controls do little once an attacker has a valid password or a breached credential set. Current guidance suggests focusing on what changes attacker economics: longer passphrases, blocklists, strong rate limiting, and slow hashing. The operational goal is not to make passwords “secure” in the abstract, but to make cracking and reuse expensive enough that the credential is not immediately useful. This matters because compromise is rarely theoretical. In NHI environments, stolen credentials and secrets are often the first step to persistence and lateral movement, which is why NHIMG’s The 52 NHI breaches Report and Top 10 NHI Issues repeatedly point to credential weakness as a core failure mode. NIST’s NIST Cybersecurity Framework 2.0 reinforces the broader principle: identity controls must reduce practical attack paths, not just satisfy policy wording. In practice, many security teams discover password policy gaps only after an exposed credential has already been replayed successfully.

How It Works in Practice

A password policy that resists real attacks should be built around attacker workflows. That means screening new passwords against breached-password lists, rejecting common substitutions, and encouraging long passphrases rather than forcing mixtures of symbols that users predictably defeat. It also means storing passwords with a slow, memory-hard hash so offline cracking is costly if the database leaks. A workable policy usually includes the following elements:

• Minimum length that favours passphrases over short complexity games.
• Breach-list screening at creation and reset time.
• Adaptive rate limiting and lockout controls to slow guessing.
• Slow hashing with a modern password storage algorithm.
• MFA and session revocation so a stolen password does not become durable access.

For organisations managing machine identities, the same logic extends beyond human logins. NHIMG’s 52 NHI Breaches Analysis and Ultimate Guide to NHIs — Key Challenges and Risks show why exposed credentials become a wider control-plane problem once tokens, API keys, or service passwords are reused across systems. That is why best practice is to pair password policy with secret inventory, rotation discipline, and privilege minimisation rather than treating authentication as a standalone control. External guidance from the Anthropic — first AI-orchestrated cyber espionage campaign report also illustrates how quickly attackers operationalise valid credentials once they find them. These controls tend to break down when legacy applications require short passwords or cannot support modern hashing and MFA.

Common Variations and Edge Cases

Tighter password controls often increase help desk load and application-retirement pressure, so organisations must balance usability against attack resistance. There is no universal standard for every environment, especially where legacy authentication, embedded systems, or third-party integrations limit what can be enforced. The main edge case is where password policy is only one layer in a larger identity stack. If privileged accounts still rely on standing access, a strong password mainly slows the breach rather than containing it. That is why NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is especially relevant for environments that also manage service accounts, API keys, and automation credentials. In those cases, the real design question is whether the credential is reusable, long-lived, and broadly authorised. If it is, the password policy alone will not fix the exposure. Another common exception is emergency access. Break-glass accounts may need different controls, but they should be isolated, monitored, and revoked after use. Teams should also align policy with the MITRE ATLAS adversarial AI threat matrix when autonomous systems or AI-assisted workflows can amplify credential abuse. The practical rule is simple: strong password policy helps, but only if it is part of a wider identity containment strategy.

Related resources from NHI Mgmt Group

• How do security teams know whether password reset controls are actually working?
• How should security teams prioritise NHI remediation in cloud environments?
• How should security teams govern non-human identities at scale?
• How should security teams govern non-human identities for compliance?