Forced password changes every 90 days. Minimum eight characters. Must include an uppercase letter, a number, and a special character. Sound familiar? This policy exists in thousands of organisations and achieves remarkably little. Users respond predictably: they pick a base word, capitalise the first letter, append a number and an exclamation mark, then increment the number each quarter. Password1! becomes Password2! becomes Password3! and so on.
Attackers know these patterns intimately. Credential stuffing tools account for common substitutions and incremental changes. The policy that was supposed to strengthen security instead creates predictable, crackable passwords across the entire workforce.
What Actually Works
The National Cyber Security Centre updated its guidance years ago, recommending longer passphrases over complex short passwords and eliminating mandatory rotation unless a breach is suspected. Despite this, many UK organisations cling to outdated policies because they have always done it that way.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “During password auditing exercises, we routinely crack over 60 percent of an organisation’s Active Directory hashes within the first hour. The vast majority follow the same predictable patterns. Switching to a minimum 14-character passphrase policy with breach detection integration makes a far bigger difference than any complexity rule ever has.”
Testing Your Authentication Controls
Password policy is only one piece of the authentication puzzle. |Web application penetration testing| examines how login pages handle brute-force attempts, whether account lockout mechanisms actually trigger, and how password reset flows behave under attack. Weak reset processes can hand an attacker full account access regardless of how strong the original password was.
On the infrastructure side, external network penetration testing reveals whether password-protected services like VPN gateways, SSH endpoints, and remote administration panels can be brute-forced from the internet. Default credentials on network devices remain a persistent problem, particularly on hardware that was installed years ago and never revisited.
Practical Improvements
Implement a banned password list that blocks commonly breached credentials. Enforce multi-factor authentication on all internet-facing services and privileged internal accounts. Consider passwordless authentication using FIDO2 security keys for high-risk users.
Research consistently shows that a 14-character passphrase without complexity requirements resists cracking far better than an 8-character password with enforced complexity. Users also remember passphrases more easily, which reduces helpdesk calls and eliminates the sticky notes on monitors that undermine every other security control in the building.
Password spraying attacks, where attackers try a small number of common passwords against every account in an organisation, succeed precisely because complexity policies push users towards predictable choices. A longer minimum length with no complexity requirement produces more varied and less guessable passwords across the board.
Credential monitoring services that check employee passwords against known breach databases provide an additional layer of defence. If a staff member reuses their corporate password on a third-party website that suffers a breach, you can force a reset before attackers try that credential against your VPN gateway or webmail portal.
Stop measuring password security by complexity rules alone. Measure it by testing whether your current policies and controls actually resist the attacks that real threat actors use. That is the only metric that matters.
