Password Periodic Changes


Password Periodic Changes or Forced Password Change are a long-standing security practice designed to periodically lock out unauthorized users who have learned users’ passwords.

While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive. A few peer-reviewed papers that address this issue:

NIST.SP.800-63B (2016) and Microsoft and Bruce Schneier recommend that passwords SHOULD NOT be arbitrarily expired after some interval.

The National Institute of Standards and Technology (NIST) explained in a 2009 publication on enterprise password management that while password expiration mechanisms are "beneficial for reducing the impact of some password compromises", they are "ineffective for others" and "often a source of __frustration__ to users." They went on to encourage organizations to balance security and usability needs, outlining some factors to consider. NIST emphasized that other aspects of password policies may have greater benefits than mandatory expiration, including requirements for password length and complexity, as well as use of slow hash Functions with well-chosen “salt” (a technique to make sure that if two users have the same password they won’t look the same when hashed).

More Information#

There might be more information for this subject on one of the following: