Why Forcing Users to Change Passwords Is Bad for Security
Periodic password expiry (e.g. “change your password every 60–90 days”) is no longer considered good practice. Modern guidance is clear:
Do not require password changes unless there is evidence of compromise.
Authoritative Guidance
🇺🇸 United States: National Institute of Standards and Technology (NIST)
“Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.”
Source: NIST SP 800-63B-4, Digital Identity Guidelines: Authentication and Authenticator Management, §3.1.1.2, item 6 (final, July 2025).
🇬🇧 United Kingdom: National Cyber Security Centre (NCSC)
“Regular password changing harms rather than improves security.”
“Forcing password expiry carries no real benefits.”
Source: UK NCSC Password Administration for System Owners - Don’t enforce regular password expiry.
🇫🇷 France: Agence nationale de la sécurité des systèmes d’information (ANSSI)
“Si la politique de mots de passe exige des mots de passe robustes et que les systèmes permettent son implémentation, alors il est recommandé de ne pas imposer par défaut de délai d’expiration sur les mots de passe des comptes non sensibles comme les comptes utilisateur.”
Source: ANSSI, Recommandations relatives à l’authentification multifacteur et aux mots de passe, R24, 2021.
ANSSI separately recommends expiration for privileged accounts such as administrator accounts (R25).
Microsoft
“Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.”
“When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”
Source: Aaron Margosis, Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903, Microsoft Security Baselines blog, 2019. See also: Microsoft 365 password policy recommendations.
Research Evidence
S. Chiasson and P. C. van Oorschot, Quantifying the Security Advantage of Password Expiration Policies, Designs, Codes and Cryptography, 2015. School of Computer Science, Carleton University. Quantifies the security gain of expiry under an analytic guessing-attack model and finds it minor at best. Available at: [pdf]
Y. Zhang, F. Monrose, and M. K. Reiter, The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis, in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), 2010. Empirical study using password histories from 7,752 defunct accounts; new passwords are predictably derived from old ones via simple transforms. Available at: [pdf]
H. Habib, P. Emami-Naeini, S. Devlin, M. Oates, C. Swoopes, L. Bauer, N. Christin, and L. F. Cranor, User Behaviors and Attitudes Under Password Expiration Policies, in Proceedings of the Symposium on Usable Privacy and Security (SOUPS), 2018. Workplace survey: forced expiration did not yield stronger replacement passwords and elicited predictable coping strategies (e.g. appending digits), though it did not clearly produce some other feared harms either. Available at: [pdf]
D. Florêncio and C. Herley, A Large-Scale Study of Web Password Habits, in Proceedings of the International World Wide Web Conference (WWW), 2007. Empirical evidence on password reuse and user behaviour relevant to expiry policies. Available at: [link]
L. F. Cranor, Time to rethink mandatory password changes, FTC Tech Blog, 2 March 2016. Public-facing critique of mandatory rotation by the FTC’s then chief technologist, widely cited in the subsequent policy debate. Available at: [link]