Organizations of all kinds look to regulatory recommendations and standards for guidance on constructing a secure password policy for their networks. However, new research shows that regulatory password complexity and construction recommendations are insufficient.