Evaluate password policies against NIST SP 800-63B and security best practices — length, complexity, rotation.