If a new employee uses a default weak password and must change it on first login, which password policy is likely missing?

Enforcing password complexity keeps passwords from being easily guessable by requiring a mix of character types (uppercase, lowercase, numbers, symbols). If a new employee can log in with a default weak password and is only asked to change it on first login, it suggests there’s no policy requiring that passwords meet complexity rules. The first-login change helps avoid the exact default credential, but without complexity requirements, the new password could still be weak. A minimum length policy would help only to a point, since even longer passwords can be simple if they lack character variety. Password history and account lockout address other security concerns (reusing old passwords and resisting brute-force attempts) but don’t directly prevent the use of a weak password at initial setup. So the missing policy is one that enforces password complexity to ensure unpredictability and strength.