“Security theater is not security.”
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”
— NIST SP 800-63B, Section 5.1.1.2
NIST’s guidance is clear: only change passwords when there’s evidence of compromise. Arbitrary expiration policies reduce security by encouraging predictable patterns and password reuse.
“Password expiration requirements do more harm than good.”
— Microsoft Security Baseline
Microsoft removed password expiration from its baseline in 2019, citing no measurable security benefit and increased user frustration.
“Users who are required to change their passwords frequently select weaker passwords… and change them in predictable ways.”
— FTC Tech@FTC Blog
“Only ask users to change their password if you suspect it has been compromised.”
— NCSC Password Guidance
“The optimal benefit [of password expiration] is relatively minor at best, and questionable in light of overall costs.”
— Chiasson & van Oorschot, 20151
Password1 → Password21.“Mandatory password changes often conflict with real-world security goals and degrade usability.”
— Redzepagic et al., 20231
“Users often make minor, predictable changes to old passwords, undermining the purpose of expiration.”
— IACIS Study, 20221
correct-horse-battery-staple)“Forcing password changes every 90 days is like changing your locks every 90 days — even if no one tried to break in. It’s expensive, annoying, and doesn’t stop burglars.”