presentations

🔥 The Case Against Forced Password Expiration

“Security theater is not security.”


🧠 What the Experts Say

📜 NIST (SP 800-63B)

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”
NIST SP 800-63B, Section 5.1.1.2

NIST’s guidance is clear: only change passwords when there’s evidence of compromise. Arbitrary expiration policies reduce security by encouraging predictable patterns and password reuse.


🧰 Microsoft

“Password expiration requirements do more harm than good.”
Microsoft Security Baseline

Microsoft removed password expiration from its baseline in 2019, citing no measurable security benefit and increased user frustration.


🏛️ FTC

“Users who are required to change their passwords frequently select weaker passwords… and change them in predictable ways.”
FTC Tech@FTC Blog


🇬🇧 UK NCSC (GCHQ)

“Only ask users to change their password if you suspect it has been compromised.”
NCSC Password Guidance


📉 What the Research Shows

🧪 Carleton University Study

“The optimal benefit [of password expiration] is relatively minor at best, and questionable in light of overall costs.”
Chiasson & van Oorschot, 20151


🧠 UNC Chapel Hill


📊 DAAAM Symposium (2023)

“Mandatory password changes often conflict with real-world security goals and degrade usability.”
Redzepagic et al., 20231


😩 Password Fatigue Study (Beyond Identity, 2022)


🔁 Password Change Patterns

“Users often make minor, predictable changes to old passwords, undermining the purpose of expiration.”
IACIS Study, 20221


💸 The Real Cost of Expiration

💰 Forrester Research


🧱 Case Studies: Organizations That Ditched Expiration


✅ What Actually Works


🧻 Tape This to the Stall Door

“Forcing password changes every 90 days is like changing your locks every 90 days — even if no one tried to break in. It’s expensive, annoying, and doesn’t stop burglars.”