Always, if the goal is actual resistance to cracking. Length expands the search space far more effectively than adding a symbol or capital letter. Once a sensible minimum length is in place, organisations should prioritise breach-corpus exclusion and password uniqueness before they worry about character-class variety.
Why This Matters for Security Teams
Password length is not a cosmetic preference. It is the most reliable way to raise brute-force cost, especially against modern cracking rigs and breach-corpus attacks that render simple composition rules weak. NIST guidance has moved away from mandatory complexity in favour of length, screening, and usability because predictable requirements often create predictable passwords. That same lesson shows up in the NHI space as well: NHI Mgmt Group notes that 79% of organisations have experienced secrets leaks, with 77% causing tangible damage, which is why brittle controls matter.
For human passwords, the practical question is when length should take precedence over mixed-case and symbol rules. For most environments, the answer is as soon as a reasonable minimum length exists. Composition checks can still help in limited contexts, but they should not be the primary defence. The safer control is a longer password that is also checked against known-compromised corpora, as reflected in the NIST Cybersecurity Framework 2.0 emphasis on risk-based identity protection. In practice, many security teams discover weak password policy only after credential stuffing or lateral movement has already turned one guessable secret into an incident.
How It Works in Practice
Security teams should think in layers. Length increases entropy faster than adding a required numeral or special character, so policy should start with a sensible minimum and then focus on practical resistance to guessing. Current guidance suggests that the strongest password controls are the ones users can actually follow consistently: long passphrases, no composition edge cases, and checks against breached-password lists. That approach reduces the common failure mode where users comply by appending “1!” to an otherwise weak base word.
A workable policy usually includes:
- A long minimum length, often expressed as a passphrase-friendly requirement rather than a short complex-string rule.
- Screening against known breached passwords and obvious variants.
- Uniqueness enforcement, so a single compromise does not cascade across services.
- Rate limiting, MFA, and monitoring to reduce the payoff of guessing attempts.
That model is consistent with broader identity hygiene concerns documented in NHI Mgmt Group’s Ultimate Guide to NHIs, which shows how often organisations struggle when secrets are long-lived, overexposed, or reused. The same operational logic applies to human credentials: long, unique, non-reused secrets are harder to crack and easier to govern than complex but memorable patterns. Organisations should also align this with identity lifecycle controls so resets, lockouts, and recovery paths do not become the weakest link. These controls tend to break down when legacy applications enforce short fixed-length fields, because teams then preserve complexity rules as a workaround instead of fixing the underlying authentication design.
Common Variations and Edge Cases
Tighter password policy often increases user friction and helpdesk load, requiring organisations to balance brute-force resistance against usability and application compatibility. That tradeoff is real, especially where legacy systems cap length or reject long Unicode input. Best practice is evolving, but the direction is clear: if a platform can support longer passwords, length should usually win over composition complexity.
There are a few exceptions. Administrative accounts, service accounts, and shared operational credentials often need stronger controls than ordinary user passwords, but those controls are usually better expressed through privileged access management, vaulting, and rotation rather than even stricter composition rules. For high-risk systems, organisations should also add password screening, MFA, and session controls rather than piling on more character-class requirements. Standards bodies increasingly treat complexity as a weak proxy for security, because it shapes user behaviour more than attacker behaviour.
For teams modernising policy, the practical decision is simple: choose longer passwords, remove unnecessary composition rules, and invest in breach-corpus rejection and uniqueness. The Ultimate Guide to NHIs reinforces the larger lesson that secret quality and lifecycle discipline matter more than symbolic complexity, and that principle holds across both human and non-human identities.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access enforcement support stronger password policy decisions. |
| NIST SP 800-63 | 5.1.1.2 | NIST digital identity guidance explicitly favors length and memorability over composition complexity. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret quality and rotation discipline for NHIs mirrors the same length-first security logic. |
Set minimum length, block breached passwords, and avoid complexity rules that add friction without raising resistance.
Related resources from NHI Mgmt Group
- When should organisations prioritise centralized password management over user-owned vaults?
- Should organisations prioritise reducing secret reuse over faster scanning?
- When should organisations prioritise entitlement reduction over secret rotation?
- When should organisations prioritise NHI posture management over other identity work?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
