Your Password Policy Is a Work of Fiction

Let me describe a scene you've definitely lived through. A user sits down to create a new password. The policy demands: at least eight characters, one uppercase, one lowercase, one number, one special character. The user thinks for approximately four seconds. They type "Password1!" and click submit.

You built a policy. They built a completely compliant password that a cracking rig will eat for breakfast.

Congratulations. You are both following the rules.

The Complexity Trap

The dirty secret of traditional password complexity requirements is that humans are very, very bad at being random. When you tell people to add a special character, they add it at the end. When you tell them to add a capital letter, they capitalize the first letter. When you tell them to include a number, they add "1" or the year they were born.

The result is not a diverse landscape of strong passwords. It's a monoculture of "Summer2024!", "Welcome1!" and my personal favorite, "P@ssw0rd", which is somehow both creative and catastrophic at the same time.

Security researchers have known this for years. When Microsoft analyzed hundreds of millions of real-world passwords, they found predictable substitution patterns everywhere. Leetspeak tricks like "3" for "e" and "@" for "a" are so common that cracking dictionaries include them by default. You're not adding entropy. You're adding the illusion of entropy while attackers laugh quietly into their GPU farms.

The 90-Day Rotation Myth

Oh, the 90-day password rotation policy. A true classic. Born from a reasonable intuition (if a password is compromised, change it before it gets used) and evolved into one of the most counterproductive controls in enterprise security.

Here's what actually happens. User creates "Winter2024!" in December. March rolls around. Policy demands a change. User creates "Spring2024!". June: "Summer2024!". And so on, forever, until the heat death of the universe or their retirement, whichever comes first.

If an attacker compromises one of these passwords, they will literally try seasonal variations before anything else. That is not a hypothetical. That is in documented attacker playbooks.

NIST 800-63B figured this out and said so out loud in 2017. Stop mandating periodic rotation unless you have evidence of a specific compromise. Forcing regular changes doesn't improve security. It trains users to create predictable passwords and then write them on sticky notes because they can't remember which iteration they're on. I have personally seen, in production environments, a monitor with four Post-it notes arranged chronologically like a password fossil record.

What the Math Actually Says

Here's the uncomfortable comparison. "P@ssw0rd1!" meets most enterprise complexity requirements. It is also crackable in seconds on modern hardware because it follows a completely predictable pattern that cracking dictionaries are built around.

"correcthorsebatterystaple" doesn't meet most enterprise complexity requirements because it has no uppercase letters, no numbers, and no special characters. It's also a 28-character passphrase that would take longer to crack by brute force than the current age of the universe.

The XKCD comic that explained this in 2011 is still correct. Length wins. Predictability loses. A policy optimized for complexity over length has the cause and effect backwards.

What Actually Works

Passphrases over passwords. Four or more random words strung together is genuinely strong and genuinely memorable. "correct horse battery staple" is not a good example anymore because it's famous, but the concept is sound.

Password managers are the real answer. The only passwords a human should be expected to remember are the master password to their password manager and possibly their device login. Everything else should be randomly generated, unique per site, and stored by software designed for the job. The argument against password managers ("what if someone compromises the manager?") is weak compared to the alternative, which is the same password on 47 different sites, written in a Notes app called "DO NOT OPEN."

Passkeys, where supported, are better than both. Phishing-resistant, device-bound credentials with no secret to steal. The infrastructure isn't everywhere yet, but it's where this is going.

The Actual Fix

Audit your current policy against NIST 800-63B. If you're mandating periodic rotation without evidence of compromise, stop. If you're setting complexity requirements that produce "P@ssw0rd1!" in the wild, adjust them to favor length. If you're not offering a password manager to employees, offer one.

The hardest part of fixing a bad password policy is usually organizational politics, not technology. Someone, somewhere, is emotionally attached to the 90-day rotation because they implemented it in 2009 and nothing bad happened on their watch. That is not the same thing as it working. Be kind, bring data, and fix it anyway.

Your users are not the problem. Your policy is.