One fine Tuesday morning, I was busy doing a control review of a high risk ERP system.
I went to the System Administrator’s desk and asked if she could show me around the system, so I could see how the system worked.
“Sure! No problem at all” she enthusiastically answered.
She then proceeded to flip her keyboard over and pull a sticky note from it. She then logged in to the system using the series of characters written on the sticky note as the password.
I stared at that sticky note a moment longer than was probably professional…
When I asked her (very politely) why she wrote her password for such a high risk system down, she very-matter-of-factly told me that she simply could not remember the complex password. And if she incorrectly entered the wrong password more than three times, the system would lock her out.
The organisation had a very expensive firewall, sophisticated XDR systems, and some of the strongest encryption possible. But all that meant nothing if someone could get their hands on that sticky note with the very complex password on it...
The Illusion of Complexity
For decades, the logic seemed sound. Make passwords harder to type, and they become harder to crack. Add a capital letter, a number, a symbol. Rotate them regularly so even if someone gets hold of one, it expires before they can do much damage.
The problem is that logic ignored the human on the other end of the keyboard.
When you tell people their password must contain a capital letter, about 60% of them capitalise the first letter. When you tell them to add a number, most add it to the end. When you demand a special character, they reach for the exclamation mark. Every time.
So instead of "password," you get "Password1!" Across millions of accounts. Predictably.
Modern cracking tools are not sitting there guessing randomly. They are running rule-based attacks built specifically around human habits. Swap the 'a' for '@'. Swap the 'o' for '0'. Capitalise the first letter. Add '123' at the end. These substitutions are baked into the tools because attackers studied the same human behaviour we ignored when we wrote the policy.
And Then We Made It Worse
Password fatigue is not a personality flaw. It is a predictable outcome of asking people to remember an impossible number of arbitrary strings that expire before they become second nature.
Research puts password reuse somewhere between 80% and 85% across accounts. People are not doing this because they are careless. They are doing it because the system we designed left them no other rational choice.
The sticky note on the monitor. The spreadsheet labelled "definitely not passwords.xlsx". The "Forgot my password" link clicked so often it might as well be the login button. These are not security failures on the part of the user. They are the entirely predictable results of a policy that treated memory as infinitely elastic.
Length Wins. Every Time.
Here is where the maths gets interesting.
Password strength is measured in entropy -- essentially how unpredictable a password is, or how many possible combinations an attacker has to work through. Adding length to a password increases entropy exponentially. Adding complexity to a short password increases it far more modestly than most people assume.
Consider the difference between these two passwords: "P@ssw0rd1!" and "correct-horse-battery-staple". The first one ticks every box on a traditional complexity policy. The second is four common dictionary words strung together with hyphens. By traditional rules, the first looks stronger. By the actual maths, it is not even close.
"P@ssw0rd1!" is 10 characters. An attacker with a stolen password database and the right tools can work through that combination space in a matter of hours -- faster still if the database was hashed with an older, weaker algorithm, which happens more often than organisations would like to admit. "correct-horse-battery-staple" is 28 characters. The number of possible combinations at that length, even using only lowercase letters and common words, puts the brute-force time well beyond any realistic attack horizon.
The passphrase is also easier to type correctly on the first attempt. And easier to remember without flipping your keyboard over.
Length beats complexity. Every time. The entropy does not lie.
NIST Finally Said It Out Loud
The National Institute of Standards and Technology (NIST, the body that effectively sets the global benchmark for cybersecurity practices) released updated guidelines in SP 800-63B Revision 4. And they said, in fairly plain language, what practitioners have known for years.
Stop imposing arbitrary composition rules. Systems "shall not" require a mix of special characters, casing, and numbers. Stop mandating regular password rotations. Passwords should only be changed when there is actual evidence of compromise, not because 90 days have elapsed on a calendar.
The new minimum is 8 characters, but 15 is required if the password is the only authenticator on the account. That minimum should be a floor, not a target.
Two other changes worth noting: systems must now actively check new passwords against databases of known breached credentials and common dictionary words, blocking those choices at the point of creation. And security questions, such as "What was the name of your first pet?", are out. They were never a meaningful control. They were a social engineering shortcut dressed up as security.
What This Means If You're in GRC
If you are still enforcing a 90-day rotation policy because it is in the framework, it is time to revisit the framework.
NIST's updated guidance is not a fringe opinion. It is the new benchmark, and auditors are starting to treat it that way. Policies built around legacy complexity rules are increasingly harder to defend when the evidence runs in the opposite direction.
The practical path forward looks like this: push for longer minimum lengths. Remove composition rules that exist to satisfy a checkbox rather than improve security. Implement breach credential checking at the point of account creation and password change. Kill mandatory rotations and replace them with compromise-triggered resets.
And if someone on your team still has a sticky note on their monitor, maybe that is the actual finding worth writing up.
p.s. if you think someone else you know may like this newsletter, please share it with them.