Blog

Should I force password expiration?

February 2, 2021
Conventional knowledge on the topic has changed
 
Microsoft now recommends NOT expiring passwords. NSCS (National Cyber Security Centre) makes similar points, forcing password changes only result in minor deviations from previous passwords, the change increases burden on users and typically provides no security benefit.
 
8 character minimum is still a good policy, but forcing longer passwords doesn't improve security, it reduces it because users commonly will simply repeat a common password until they hit the length minimum or they will write the password down and keep it next to the system that requires it. (ex: Tanya$96 with a forced 16 character password would end up as Tanya$96Tanya$96)
 
Forcing symbol use or "complexity", actually reduces security because many users end up using a common password with 1337('leet') speak, rendering the symbol requirement ineffective. (Ex: Emma8390 with complexity is Emm@8390)
 
Better password strategies are:
Encourage users to avoid re-using passwords.
Enforce or encourage use of MFA.
Use a password manager.