Why Rotating Passwords Every 60–90 Days Is Outdated (and What to Do Instead)
For years, IT departments enforced a familiar rule: users must change their passwords every 60 to 90 days. This policy was once seen as a pillar of good security hygiene. Today, however, security experts—including the likes of NIST (National Institute of Standards and Technology)—agree that this practice may actually do more harm than good.
The Problem with Frequent Password Changes
Forced password rotation often leads to unintended consequences:
- Weaker passwords: Users tend to make predictable, minor changes (e.g.,
Spring2024!toSummer2024!), which are easily guessed. - Poor habits: Frequent changes encourage users to write passwords down, reuse them across systems, or choose overly simple ones just to stay compliant.
- False sense of security: Rotating a password every few months doesn’t protect against immediate threats like phishing or credential theft. If a password is stolen, an attacker won’t wait 60 days to use it.
When Rotation Still Makes Sense
There are still cases where rotation policies are justified:
- Privileged or shared accounts where the risk of exposure is higher
- Following a known or suspected breach
- Meeting specific regulatory or compliance mandates
In these scenarios, rotation should be paired with strong password creation policies and monitoring.
What to Do Instead
Modern security guidance recommends:
- Enforcing strong, unique passwords (ideally with a password manager)
- Requiring multi-factor authentication (MFA) wherever possible
- Monitoring for credential leaks and triggering changes only when needed
- Adopting passwordless technologies, such as biometrics or passkeys
Final Thoughts
Password rotation every 60–90 days was born in an era before phishing, MFA, and real-time breach monitoring. Today, it’s a blunt instrument that can weaken your organization’s security posture rather than strengthen it. It’s time to move beyond outdated policies and adopt smarter, risk-based approaches to credential security.