Changing Passwords Periodically Does Not Increase Security


While some organizations and financial websites require new passwords be created periodically, this practice is no longer recommended—and in fact, password expiration policies are now discouraged.

The rationale behind such policies was that stolen passwords would work for a limited period of time. And attackers could remain undetected only until the passwords required changing.

Over time, security experts realized the problem was actually rooted in allowing users to set weak passwords that could be decrypted. When users know they will have to change their passwords, they often choose weaker passwords, perhaps by tweaking a previous password for easier memorization. Attackers know this fact, too, so they have become more adept at figuring out future passwords. Thus, attempting to increase security by requiring users to change passwords paradoxically reduces security instead.

The National Institute for Standards and Technology is a U.S. government agency that develops cybersecurity standards and best practices for the federal government, and large corporations and other institutions tend to follow its recommendations as well. In 2017, the NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” In a list of FAQs, the NIST explains:

“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations, such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.”

(Of course, when there is evidence of unauthorized access or a breach of the password database, all passwords should be invalidated, and everyone should be required to create a new password immediately.)

In addition, the NIST does not recommend password composition requirements either: users tend to devise predictable techniques to meet such requirements (like adding an exclamation point to every password). Rather, the NIST encourages longer passwords, as long passwords that are easily remembered can be stronger than shorter passwords composed of random characters.

If you are still forced to change a website password periodically, it is easiest to use a password manager to generate strong passwords, which you will then not have to memorize. For those passwords that must be remembered, aim to create longer passwords that don’t trip up your fingers while typing and that don’t require numerous switches on your phone of uppercase and numeric keyboards. Consider choosing words from categories with many possibilities: for example, gouda-purple-1989-New-York could change to cheddar-black-2011-Des-Moines, and only you would know the categories used for each portion.

If your organization could use help updating a password expiration policy, or if you have questions regarding secure passwords, get in touch with us today.

(Featured image based on an original by