For years, companies have asked employees to change their passwords every few months, believing it would improve security. The idea sounded reasonable, but research has shown it actually does more harm than good.
When people are forced to change passwords often, they rarely create something new. Most just make small, predictable changes like adding a number, replacing a letter with a symbol, or adding an exclamation mark. Studies from the University of North Carolina and others found that attackers can guess these new passwords from old ones with only a few tries.
The National Institute of Standards and Technology (NIST) recognized this updated its guidelines (SP 800-63B). NIST now advises that passwords should only be changed where there is evidence of compromise, not on a fixed schedule.
Why this Old Policy is Outdated
- People create predictable password patterns.
- Frequent resets frustrate users.
- IT teams waste time on constant reset requests.
What Organizations Should Do Instead
- Use long, strong passphrase that are easier to remember.
- Turn on multi-factor authentication for all critical accounts.
- Check passwords against known breach databases.
- Only require password change if you believe it’s been compromised.
Password rotation is an outdated habit. Modern security is about smarter authentication, not more frequent frustration.
References
- https://www.cs.unc.edu/~fabian/papers/PasswordExpire.pdf
- https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes
- https://pages.nist.gov/800-63-3/sp800-63b.html
- https://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
- https://jumpcloud.com/blog/nist-800-63-password-guidelines