top of page

Password rotation: an obsolete practice

Since many years research has shown that when users are forced to periodically change their passwords, they are much more inclined to use passwords that are both insecure and predictable. Also, once an attacker knows a user's password, research shows they are often able to guess the user’s next password fairly easily.

There is also evidence from various surveys to suggest that users who know they will have to change their password, do not choose strong passwords to begin with and are more likely to write their passwords down.

The outcomes of password rotations are therefore user fatigue, less secure passwords and ultimately bad security practices such as writing them down in clear text.

This is something the National Institute of Standards and Technology (NIST) recognized already back in 2009 and reiterated recently: while password expiration mechanisms are “beneficial for reducing the impact of some password compromises,” they are “ineffective for others” and “often a source of frustration to users.” NIST emphasized that other aspects of password policies, including requirements for password length and complexity, are more important. NIST now explicitly states IT administrators "SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)".

Furthermore, any password rotation scheme requires IT to send notifications of imminent password expiration, urging them to reset it. It is precisely such messages that are used frequently in phishing attacks to gain initial foothold into an organization's network. Users getting such messages will actually lower their guard and tend to click on password reset links, fake or real, thus decreasing the employees' capacity to resist phishing attacks. And so, any attempts at security awareness trainings will be undermined by the periodic password resets.

Phishing or not? What should I do?

Ultimately, the case against passwords is about technology change: conventional infosec wisdom simply does not apply anymore in a world where multifactor authentication (MFA) is ubiquitous and phishing is the most popular technique to gain unauthorized access - fast acting criminals will certainly not be deterred by a 90-day change policy. Fact is, passwords have become obsolete for some time already.

Following that reasoning, Microsoft has also been strongly advising against password expiration. Its Microsoft Secure Score solution rating an organization's security controls for MS365 actually gives a better score and security posture to an organization, if their password rotation is disabled.

In its documentation, Microsoft states that "password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them".

Considering all this, IT admins and leaders will hopefully take a more proactive approach towards MFA adoption and eliminate the obsolete password rotation practice.

The exception here will be some companies in the payment card industry, where the latest PCI DSS 4.0 still requires passwords to be changed at least once every 90 days (for service providers i.e. companies that share any cardholder data with a third party). Hopefully the Payment Card Industry Security Standards Council will reconsider this in the future.