Complexity is a visible formatting rule. Strength is the real difficulty of guessing or cracking the credential. A password can satisfy every complexity requirement and still be weak if it is short, reused, or derived from common patterns. Strength is measured by attack resistance, not by the presence of special characters.
Why This Matters for Security Teams
Password complexity often creates a false sense of safety because it is easy to verify and easy to audit, while password strength is about how well a credential resists guessing, spraying, phishing, and offline cracking. That distinction matters in environments where secrets and service credentials are handled at scale, especially when the broader identity problem is already hard to see. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs — What are Non-Human Identities, which helps explain why weak credentials persist even when policy looks strict.
Teams usually get this wrong when they rely on complexity rules such as uppercase, numbers, and symbols as a proxy for resistance. The NIST Cybersecurity Framework 2.0 emphasises outcome-driven risk reduction rather than checkbox validation, which is the right mental model here. In practice, many security teams encounter credential compromise only after password reuse, password spraying, or offline cracking has already bypassed a policy that looked strong on paper.
How It Works in Practice
Complexity is a rule set. Strength is an attack-resistance property. A complex password may satisfy composition rules and still be weak if it is short, reused, predictable, or built from dictionary words with substitutions. A strong password tends to be long, unique, and resistant to both human guessing and automated cracking. Current guidance from NIST and other authorities suggests that length and uniqueness matter more than arbitrary character-class requirements, because attackers do not brute-force all passwords equally.
In practice, teams should assess strength through the lens of threat realism:
- Prefer long passphrases over short mixed-character strings.
- Block common passwords, breached passwords, and obvious variants.
- Enforce uniqueness so one compromise does not cascade across systems.
- Use MFA, because strength alone does not stop phishing or token theft.
- Measure the real control with attack simulations, breach data, and reuse checks.
This distinction is especially important for non-human credentials. The Ultimate Guide to NHIs — What are Non-Human Identities shows how often secrets are stored and exposed in ways that make complexity irrelevant, because the weak point is lifecycle management, not just password formatting. A credential can meet every policy rule and still be easy to crack if it is reused in code, copied into a config file, or left valid long after it should have been rotated. These controls tend to break down in legacy systems and shared service accounts because administrators cannot easily enforce uniqueness or rotation without application changes.
Common Variations and Edge Cases
Tighter complexity rules often increase user friction and helpdesk burden, requiring organisations to balance memorability against administrative overhead. That tradeoff is real, but it should not be confused with security value. There is no universal standard for this yet across all industries, so current guidance suggests focusing on measurable resistance rather than symbolic complexity.
Two edge cases matter most. First, a password that looks simple can still be strong if it is long, unique, and randomly generated. Second, a password that looks complex can still be weak if it appears in a known breach corpus or follows a predictable pattern such as seasonal words plus a symbol. For this reason, password policy should be paired with breach checking, MFA, and rotation for high-risk accounts. NIST guidance is useful here because it pushes organisations toward practical authentication outcomes rather than cosmetic requirements.
For NHI and service-account estates, the issue is often broader than password policy alone. Many environments still rely on static secrets with poor visibility, which is why NHI governance should treat strength, rotation, storage location, and offboarding as one control family rather than separate tasks. The real failure mode is not just a weak password. It is a strong-looking credential that remains exposed, reused, or valid long after the risk changed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity and access controls should reflect real authentication strength, not cosmetic complexity. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Weak, reused, or long-lived secrets undermine NHI credential hygiene and rotation. |
| NIST SP 800-63 | Digital identity guidance prioritises memorability, uniqueness, and verifiable resistance over composition rules. |
Align password policy with NIST digital identity guidance by dropping arbitrary complexity rules and checking against breached passwords.
Related resources from NHI Mgmt Group
- What is the difference between direct access and effective access in Active Directory?
- What is the difference between managing human identities and non-human identities?
- What is the difference between an IP address and an identity signal?
- What is the difference between password theft and session theft?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
