Overview#Password Periodic Changes or Forced Password Change are a long-standing security practice designed to periodically lock out unauthorized users who have learned users’ passwords.
While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive. A few peer-reviewed papers that address this issue:
- Microsoft- removing password-expiration policies
- "When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords."
- The Security of Modern Password Expiration An Algorithmic Framework and Empirical Analysis
- Quantitative measure of the impact of password expiration policies
- Time to rethink mandatory password changes
The National Institute of Standards and Technology (NIST) explained in a 2009 publication on enterprise password management that while password expiration mechanisms are "beneficial for reducing the impact of some password compromises", they are "ineffective for others" and "often a source of __frustration__ to users." They went on to encourage organizations to balance security and usability needs, outlining some factors to consider. NIST emphasized that other aspects of password policies may have greater benefits than mandatory expiration, including requirements for password length and complexity, as well as use of slow hash Functions with well-chosen “salt” (a technique to make sure that if two users have the same password they won’t look the same when hashed).