Your password policy probably requires uppercase letters, lowercase letters, numbers, and special characters. You might enforce a minimum length of eight or twelve characters. You might even require users to change their passwords every 90 days. And none of that is stopping attackers from cracking your users’ credentials.
Complexity requirements create an illusion of security. Users respond to them predictably. They capitalise the first letter, add a number and exclamation mark at the end, and increment the number every time they’re forced to change. Attackers know this pattern intimately, and their cracking dictionaries are built around it.
What the Research Actually Shows
NIST updated its password guidance several years ago, and the recommendations diverge sharply from what most organisations implement. NIST now recommends longer passphrases over complex short passwords, removing mandatory rotation unless there’s evidence of compromise, and screening passwords against known breached lists.
The reasoning is straightforward. A 20-character passphrase made of common words is both harder to crack and easier to remember than an eight-character string of random characters. And forced rotation encourages the predictable patterns that make passwords easy to guess.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “The first thing we do during an internal assessment is attempt offline password cracking against the Active Directory hash database. Complexity requirements alone don’t prevent users from choosing predictable patterns like Company2026! or Summer2025. We crack a significant percentage of passwords in every single engagement.”
Breached Password Detection
The single most impactful improvement you can make to your password policy is screening new passwords against databases of known breached credentials. If a user tries to set a password that has appeared in a previous data breach, block it.
Services like Have I Been Pwned provide APIs that allow you to check passwords against billions of compromised credentials without transmitting the actual password. Integrating this into your Active Directory password change process catches the passwords that complexity requirements miss entirely.
Testing Your Password Security
During internal network penetration testing, testers attempt to crack Active Directory password hashes using the same techniques and tools attackers employ. The percentage of passwords cracked within the first few hours provides a clear measure of how effective your password policy actually is.
Engaging a best penetration testing company for regular assessments that include password security testing gives you ongoing visibility into this critical control. If testers are cracking 40% of your passwords, your policy isn’t working, regardless of what it says on paper.
Practical Recommendations
Set a minimum length of at least 14 characters. Encourage passphrases. Remove forced rotation schedules unless compromise is suspected. Implement breached password checking. And layer multi-factor authentication on top of everything.
Passwords aren’t going away anytime soon, despite predictions to the contrary. Making them harder to crack while easier for your users to manage is the practical path forward.
