They reward predictable user behaviour. People append numbers, capitalise the first letter, and reuse familiar patterns, which makes compliant passwords easy for attackers to guess. The rule looks strict on paper, but it often lowers real security by pushing users toward memorisable structures that are already overrepresented in breach corpora.
Why This Matters for Security Teams
Composition-based password rules are attractive because they look measurable: a minimum length, one uppercase letter, one number, one symbol. The problem is that attackers do not guess passwords from policy checkboxes. They exploit human habits, and the result is highly patterned output that remains vulnerable to guessing, credential stuffing, and targeted spraying. NIST has long warned against overreliance on composition rules in modern password guidance, and the NIST Cybersecurity Framework 2.0 reinforces the need to focus on effective risk reduction rather than cosmetic complexity.
For security teams, the deeper issue is that strict composition often creates false confidence. Users respond by making tiny edits to familiar base words, which preserves predictability while satisfying the policy engine. That pattern is easy to model at scale, especially when attackers combine breach corpora with rule-based mutation. NHIMG research on the State of Secrets in AppSec shows how often real-world security fails when people and tooling depend on patterns that are easy to reproduce rather than hard to abuse. In practice, many security teams encounter the weakness only after password spraying has already bypassed “strong” policy controls.
How It Works in Practice
Composition rules fail because they optimise for visible variety, not entropy that resists attack. If a policy requires one uppercase letter and one digit, many users will simply capitalise the first character and append a predictable suffix such as a year, a symbol, or an exclamation point. That still creates a narrow search space. Attackers know these habits and build wordlists and mutation logic around them, so the rule often increases predictability instead of reducing it.
This is why current guidance from standards bodies increasingly favors length, screening against known-bad passwords, and phishing-resistant authentication over forcing character classes. The DeepSeek breach is a useful reminder that security failures often emerge from the mismatch between what policy assumes and what adversaries actually test. When composition rules are used, they work best as a legacy compatibility control, not as the main defense.
- Prefer long passphrases over short, complex strings.
- Block passwords found in breach corpora or common mutation sets.
- Use MFA to reduce the value of any single leaked password.
- Monitor for password spraying and credential stuffing against exposed services.
For organisations mapping policy to formal control expectations, NIST Cybersecurity Framework 2.0 is a better anchor than outdated complexity rules because it pushes identity controls toward resilience, detection, and response rather than checkbox composition. These controls tend to break down when legacy applications still enforce short passwords and fixed character-class rules because users are forced into weak, patterned workarounds.
Common Variations and Edge Cases
Tighter password rules often increase user friction and support overhead, so organisations must balance memorability against resistance to guessing and reuse. That tradeoff is real, especially in environments where password changes are still mandatory or where application constraints limit modern authentication options.
There is no universal standard that says every composition rule is always harmful, but best practice is evolving toward simpler user-facing rules paired with stronger backend controls. For example, a password policy that allows long passphrases, screens against breached values, and avoids forced periodic rotation is generally more effective than one that demands a symbol and a digit. The key exception is a legacy system that cannot support modern controls; in that case, composition requirements may remain as a transitional measure, but they should not be treated as a mature security strategy.
Security teams should also watch for edge cases such as shared accounts, service passwords, and environments with heavy regulatory pressure. Those scenarios often create a false argument for complexity when the real need is identity hardening, privileged access management, and detection of abuse patterns. If the policy is designed around human memory instead of attacker behavior, it will usually fail at the point of first large-scale guessing activity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control are undermined by weak password composition policies. |
| NIST CSF 2.0 | PR.AC-7 | Password rules that encourage reuse weaken authentication protection against common attack paths. |
| NIST CSF 2.0 | DE.CM-1 | Password spraying and credential stuffing need monitoring, not just policy enforcement. |
Shift identity controls from composition checks to stronger authentication and abuse-resistant access decisions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
