Introduction
Passwords serve as the cornerstone of digital security in an increasingly interconnected world, safeguarding access to sensitive information and critical systems. For many years, a prevalent security practice has been the implementation of password expiration policies, mandating that users change their passwords at regular intervals. The rationale behind this approach was rooted in the belief that periodic changes would limit the window of opportunity for attackers in the event of password compromise. However, the efficacy of this long-standing security measure has come under increasing scrutiny, with a growing body of academic research suggesting that mandatory password rotation may not only fail to enhance security but could inadvertently lead to weaker password practices. This report delves into the academic evidence surrounding the claim that removing password expiration policies can, in fact, encourage users to adopt stronger passwords. By examining the methodologies and findings of key studies, exploring counterarguments and limitations within the literature, and considering the current guidelines from prominent standards organisations such as the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA), this analysis aims to provide a comprehensive understanding of the evolving expert consensus on this critical aspect of digital security. The insights gleaned from this investigation are of paramount importance for organisations striving to bolster their security posture while minimising user friction and avoiding the unintended consequences of outdated security practices.
The Historical Context of Password Expiration Policies
The practice of enforcing password expiration has a history deeply intertwined with early approaches to cybersecurity. The traditional reasoning behind implementing such policies often stemmed from the assumption that passwords, over time, might become compromised through various means, including data breaches or successful guessing attacks. In an era where computational power was considerably less advanced than today, the thinking was that regularly changing passwords would effectively invalidate any compromised credentials before malicious actors could fully exploit them. This approach was based on a threat model that estimated the time required to crack an average password. The idea was to mandate password changes within a timeframe shorter than this estimated cracking period, thereby preempting successful attacks. Consequently, early security recommendations often included guidelines advocating for a combination of password complexity requirements and periodic password changes. For instance, in 2006, NIST recommended using complex and lengthy passwords and changing them every 90 days (or 180 days for passphrases) as part of sound password policies. These initial recommendations reflected the prevailing security wisdom of the time, emphasising both the difficulty of guessing a password and the limited lifespan of its security value. This historical context is crucial for understanding the subsequent shift in expert opinion, which advancements in technology have driven, a deeper understanding of user behaviour, and empirical evidence challenging the initial assumptions underlying password expiration policies.
Academic Research Challenging Password Expiration
As the landscape of cyber threats evolved and research into user behaviour deepened, many academic studies began to question the fundamental security benefits of mandatory password changes. Early quantitative analysis, such as the study “Quantifying the Security Advantage of Password Expiration Policies” from Carleton University, suggested that the security gains derived from password expiration might be relatively minor when weighed against the associated costs and potential drawbacks. This finding served as a catalyst for further investigation into how users react to forced password changes and whether these reactions ultimately enhance or undermine security. Research revealed that when users are compelled to update their passwords regularly, they often adopt strategies that, while seemingly compliant with the policy, can inadvertently weaken overall security. For example, a Carnegie Mellon University (CMU) study observed that users frequently resort to predictable modifications, such as appending digits or special characters to their existing passwords. Similarly, the research highlighted that users tend to increment their passwords (e.g., changing ‘Password1’ to ‘Password2’) or create new passwords that are easy to guess, all in an effort to minimise the cognitive burden associated with frequent changes. This behaviour directly contradicts the intended benefit of password rotation, as attackers who may have already gained knowledge of a previous password 2 can easily exploit these predictable patterns.
The concept of “password fatigue” emerged as a significant factor contributing to these negative user behaviours. The need to remember a multitude of frequently changing passwords across various online services can lead to a state of mental exhaustion and frustration. In response, users may resort to insecure practices such as reusing the same password across multiple accounts. This practice creates a significant vulnerability, as the compromise of one account can then lead to the compromise of many others. Furthermore, the burden of remembering complex and frequently changing passwords can also increase the likelihood of users writing down their passwords in insecure locations, such as on sticky notes, thereby introducing another significant security risk.
The extensive body of research from Carnegie Mellon University has been particularly influential in shaping the current understanding of password usability and security. Their studies have consistently indicated that traditional password complexity requirements (e.g., requiring a mix of uppercase and lowercase letters, numbers, and symbols) do not necessarily lead to stronger passwords and can often negatively impact usability. One CMU study specifically concluded that 46% of users were more likely to have guessable passwords when strict complexity rules were in place. Another study, “Measuring Password Guessability for an Entire University,” found that users who reported being annoyed by CMU’s complex password policy actually created weaker passwords. These findings underscore the counterproductive nature of overly restrictive password policies. Similarly, research from the University of North Carolina corroborated these findings, concluding that the security advantage of frequent password resets is “relatively minor at best”. The consistency of these conclusions across different research institutions strengthens the argument against mandatory password expiration.
Further evidence comes from a 2010 study by Zhang et al., which developed a framework capable of deducing new user passwords from old ones through a series of common transformations. Their research demonstrated the predictability of user-generated password changes, with the framework successfully guessing 41% of new passwords in an offline attack and 17% in an online attack. This predictability effectively negates the intended security benefit of password rotation. A 2014 NIST study by Choong et al. of US government employees revealed that when asked to create new passwords, users tended to employ less secure strategies, such as recycling old passwords or making only minor modifications. This indicates that even in environments with heightened security awareness, mandatory password changes can drive users towards insecure practices. In 2015, a survey by Farcasin et al. found that a 120-day password expiration period was considered too short by users, leading to increased password reuse and the creation of less secure new passwords. This suggests that setting short expiration periods can exacerbate the problem, pushing users towards even more detrimental workarounds.
A 2018 survey by Habib et al. also questioned the security gains of forced password expiration, finding that replacement passwords were often no stronger than the ones they replaced. Interestingly, their research also indicated that repeatedly advising users to change their passwords regularly could lead them to believe in its importance, even when evidence supporting this advice was lacking. This highlights a potential disconnect between perceived security and actual security benefits. More recently, a 2023 survey of German companies by Gerlitz et al. revealed that despite updated recommendations against password expiration, a significant percentage (45%) still enforced it, often citing security concerns or requirements from stakeholders. This suggests a lag in the adoption of evidence-based practices and a potential resistance to abandoning long-held beliefs about password security.
The Argument for Prioritising Password Length and Strength over Expiration
The prevailing consensus within the academic community has shifted towards emphasising password length and strength (often measured by entropy) as the primary determinants of password security rather than relying on the outdated practice of mandatory rotation. This modern approach recognises that the goal is to make passwords sufficiently tricky for attackers to crack in the first place, thereby reducing the likelihood of successful brute-force or dictionary attacks. Longer passwords inherently increase the search space that attackers must explore, making such attacks exponentially more computationally expensive and time-consuming. In fact, research indicates that increasing password length increases security more substantially, as measured by entropy, than simply enforcing complex character requirements.
While complexity requirements (such as the inclusion of uppercase and lowercase letters, numbers, and symbols) can contribute to password entropy, a more nuanced view has emerged from recent research. Studies have shown that users often react to these requirements in predictable ways, such as placing special characters at the beginning or end of their passwords or making simple substitutions. Attackers are well aware of these common patterns, which diminishes the intended security benefit of such rules. Consequently, leading authorities like NIST now recommend against imposing arbitrary complexity requirements, instead emphasising the importance of password length and randomness.
Underlying this shift in focus is the critical consideration of “usable security”. Security policies, including password requirements, must be practical for users to follow effectively without causing undue frustration or leading to insecure workarounds. Overly complex or frequently changing passwords can be difficult for users to remember, leading to behaviours that compromise security, such as writing passwords down or reusing them across multiple accounts. Therefore, a balance between security and usability is paramount for creating effective password management practices.
User Behaviour and Password Management Practices under Expiration Policies
The academic literature provides compelling evidence that mandatory password expiration policies often lead to predictable password changes by users. Instead of creating entirely new and strong passwords, individuals frequently resort to making minor, easily anticipated alterations to their existing passwords when prompted to change them. Common tactics include simply incrementing a number at the end of the password or changing a single character. These predictable patterns significantly diminish the effectiveness of password rotation, as attackers who may have previously compromised a password can readily guess the subsequent iterations. This directly undermines the fundamental goal of password expiration, which is to render compromised passwords useless.
Furthermore, the requirement to change passwords frequently can contribute to the pervasive problem of password reuse across different online accounts. Faced with the challenge of remembering numerous unique and constantly evolving passwords, users may opt for the risky convenience of using the same password, or slight variations thereof, for multiple services. This practice creates a significant cascading risk; if an attacker manages to compromise one account, they may then gain access to other accounts that share the same or similar credentials. The increased cognitive burden imposed by mandatory password changes can also lead to the undesirable behaviour of users writing down their passwords, especially if those passwords are complex and need to be changed regularly. Storing passwords in an insecure manner, such as on a piece of paper, introduces a readily exploitable vulnerability that can negate any potential security benefits intended by the expiration policy.
Beyond the direct impact on password strength and security practices, mandatory password expiration also carries operational costs. Organisations often experience a surge in help desk requests related to password resets when users forget their frequently changed passwords. This increased administrative overhead consumes valuable IT resources and can also lead to decreased user productivity as individuals are locked out of their accounts. The time and resources spent on managing these password-related issues represent a significant financial cost for many organisations, further highlighting the drawbacks of policies that may not even enhance security in a meaningful way.
Guidelines and Recommendations from Standards Organisations
Leading cybersecurity standards organisations have increasingly recognised the limitations and potential harms associated with mandatory password expiration policies, aligning their guidelines with academic research findings. The National Institute of Standards and Technology (NIST), a highly influential authority in this domain, has significantly revised its recommendations in recent years. The current NIST guidelines, as detailed in Special Publication 800-63B, explicitly recommend against requiring users to change their passwords periodically unless there is evidence of a compromise. Instead, NIST emphasises the importance of password length, recommending a minimum of 8 characters for user-created passwords, with a strong suggestion to aim for at least 15 characters and allow for passwords up to 64 characters long. NIST now advises against imposing arbitrary password complexity requirements, such as mandating the use of specific character types, and instead recommends allowing all printable ASCII and Unicode characters, including spaces. Furthermore, NIST strongly recommends checking new passwords against blocklists of known compromised passwords to prevent users from selecting already vulnerable credentials. This shift in NIST’s guidance reflects a significant change in the understanding of effective password security, moving away from traditional practices towards evidence-based recommendations.
The European Union Agency for Cybersecurity (ENISA) also emphasises the importance of strong and unique passwords as a fundamental aspect of cyber hygiene. While some earlier ENISA advice might have mentioned changing passwords regularly, their more recent guidance aligns with the broader trend of prioritising password strength and uniqueness. ENISA strongly advocates for the use of password managers to help users create and securely store complex passwords, thereby mitigating password fatigue and reducing the likelihood of password reuse. Moreover, ENISA places a significant emphasis on the implementation of multi-factor authentication (MFA) as a critical security measure. By requiring an additional form of verification beyond the password, MFA significantly enhances account security, even if a password happens to be weak or compromised. This focus on strong passwords, password management tools, and multi-factor authentication suggests a convergence of views among major standards bodies towards a more holistic and effective approach to password security that does not necessarily rely on forced password rotation.
Alternative Strategies for Encouraging Strong Password Usage
Recognising the shortcomings of mandatory password expiration policies, the academic community and standards organisations strongly advocate for the adoption of alternative strategies that have proven to be more effective in encouraging users to create and maintain strong passwords. One of the most widely recommended alternatives is the use of a password manager. These tools enable users to generate and securely store long, complex, and unique passwords for each of their online accounts, effectively eliminating the need for users to remember numerous different credentials. By alleviating the burden of password memorisation, password managers significantly reduce password fatigue and the temptation to reuse passwords across multiple services.
Another crucial element in fostering strong password practices is comprehensive user education and training. Educating users about the inherent risks associated with weak passwords, password reuse, and predictable password changes is essential for cultivating a security-conscious mindset. Training initiatives should emphasise the importance of creating long, memorable passphrases or, ideally, utilising password managers to manage their credentials securely. Providing users with a clear understanding of why certain password practices are recommended can be far more effective than simply imposing rules.
Implementing real-time password strength meters and feedback mechanisms during the password creation process can also significantly help guide users towards stronger password choices. These tools provide immediate and actionable feedback on the strength of a user’s password as they type it, often offering suggestions on how to improve its resilience against cracking attempts. This immediate feedback can help users understand the impact of their password choices and make informed decisions without the need for complex or frequently changing rules.
A critical security measure that complements the removal of password expiration is the implementation of blocklists of known compromised passwords. By checking newly created or changed passwords against these lists of previously breached or commonly used passwords, organisations can prevent users from selecting credentials that are already known to attackers and thus highly vulnerable.
Finally, adopting multi-factor authentication (MFA) represents a cornerstone of modern security practices and significantly reduces the reliance on password strength and rotation frequency as primary security controls. MFA adds a crucial layer of security by requiring users to provide an additional verification factor beyond their passwords, such as a one-time code from an authenticator app or a biometric scan. Even if a password is weak or somehow compromised, the attacker would still need to bypass the second authentication factor to gain unauthorised access.
Case Studies and Empirical Evidence
The decisions and recommendations of prominent organisations and empirical findings from real-world implementations further support the growing consensus against mandatory password expiration. For instance, Google has turned off password expiration by default for its user accounts, citing research that indicates little positive impact on security from this practice. This decision by a major technology provider with vast experience in managing user security lends significant weight to the argument against forced password rotation. Similarly, the German Federal Office for Information Security (BSI) updated its guidelines in 2020 to remove password expiry, explicitly referencing research that supports this change. This action by a national cybersecurity agency demonstrates a policy shift based on the evolving understanding of password security. Microsoft, another leading technology company, has also publicly stated that password expiration requirements often do more harm than good, encouraging users to select predictable passwords.
The extensive research conducted by Carnegie Mellon University, as previously discussed, provides further empirical evidence supporting the prioritisation of password length and strength tests over traditional complexity rules and frequent password changes. Their findings consistently show that policies focusing on minimum length (e.g., 12 characters or more) and passing a real-time strength test result in passwords that are both more secure and more usable than those created under traditional, restrictive policies. Furthermore, quantitative analyses, such as the study “Quantifying the Security Advantage of Password Expiration Policies,” have consistently demonstrated that the security benefits of password expiration are limited, particularly when considering the associated costs and the negative impact on user behaviour. This body of evidence from academic research and real-world implementations strongly suggests that the removal of mandatory password expiration, when coupled with the adoption of alternative strategies, can lead to a more secure and user-friendly approach to password management.
Conclusion and Recommendations
The analysis of academic research and the guidelines from standards organisations overwhelmingly indicates that mandatory password expiration policies are no longer considered an effective security measure. In fact, the evidence suggests that such policies can often be counterproductive, leading to weaker password practices, increased user frustration, and higher administrative costs. The consensus has shifted towards prioritising password length and strength, coupled with the implementation of alternative strategies that empower users to create and manage strong, unique passwords more effectively.
Based on the findings of this report, the following evidence-based recommendations are provided for organisations seeking to enhance their password security posture:
- Eliminate mandatory password expiration policies. The practice of forcing users to change their passwords at regular intervals should be discontinued unless there is a specific indication of account compromise.
- Prioritise password length (minimum 15 characters recommended) over complex character requirements. Encourage users to create longer passwords or passphrases, as length is a more significant factor in resisting brute-force attacks than arbitrary complexity rules.
- Encourage or require the use of password managers. Password managers are invaluable tools for enabling users to generate and securely store strong, unique passwords for all their accounts, thereby mitigating password fatigue and reuse.
- Implement comprehensive user education and training on password security best practices. Educate users about the risks of weak passwords, password reuse, and predictable changes, emphasising the importance of length and the benefits of password managers.
- Deploy password strength meters with real-time feedback. Integrate password strength meters into password creation interfaces to provide users with immediate feedback and guidance towards stronger choices.
- Utilise blocklists of known compromised passwords. Prevent users from selecting passwords that have already been exposed in data breaches or are commonly used and easily guessed.
- Strongly implement multi-factor authentication for all accounts, especially privileged ones. MFA provides a critical additional layer of security that significantly reduces the risk of unauthorised access, even if a password is compromised.
- Focus on detecting and responding to actual account compromises rather than relying on periodic password changes. Implement robust monitoring and logging systems to identify suspicious activity and potential breaches, enabling timely intervention.
By adopting these evidence-based recommendations, organisations can move towards a more effective and user-friendly approach to password security, ultimately enhancing their overall security posture while minimising user burden. Future research could further explore the long-term impact of removing password expiration policies in diverse organisational settings and continue to refine strategies for promoting the adoption of strong password practices.
Table 1: Summary of Key Academic Studies on Password Expiration Policies
| Study Title | Authors | Year | Methodology | Key Findings Related to Password Expiration and Strength |
| Quantifying the Security Advantage of Password Expiration Policies | Chiasson & van Oorschot | 2005 | Analytical Model | Security advantage of password expiration is relatively minor; optimal benefit is questionable in light of overall costs. |
| Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat | Pearman et al. | 2017 | Observational Study | Users cope with a large number of passwords by partially and exactly reusing passwords across most of their accounts. |
| User Behaviours and Attitudes Under Password Expiration Policies | Habib & Naeini | 2018 | Surveys | Forced password expiration may not have significant positive or negative effects on password security; replacement passwords often no stronger; repeating security advice can cause users to internalise it even if evidence is scant. |
| Measuring Password Guessability for an Entire University | Komanduri et al. | 2013 | Analysis of Real-World Passwords | Users annoyed by complex password policies tend to create weaker passwords; stronger passwords correlated with higher error rates when entering them. |
| The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis | Zhang et al. | 2010 | Algorithmic Framework | New passwords can often be predicted based on knowledge of old ones; the framework could guess a significant percentage of new passwords. |
| Balancing Password Security and User Convenience: Exploring the Potential of Prompt Models for Password Generation | Almomani | 2023 | Experimental Study | Explores password generation using prompt models; highlights the ongoing challenge of balancing security and convenience. |
| Evolution of Password Expiry in Companies: Three Years After Recommendations Changed | Gerlitz et al. | 2023 | Surveys | While use of password expiry decreased after updated recommendations, a significant portion of companies still use it, often citing security concerns or stakeholder requirements. |
Table 2: Comparison of Password Policy Recommendations from NIST and ENISA
| Recommendation | NIST SP 800-63B | ENISA |
| Password Expiration | SHALL NOT require periodic changes unless compromise is evident. | Emphasises strong, unique passwords; less emphasis on forced rotation, especially with MFA. |
| Password Length | Minimum 8 characters (user-generated), SHOULD be 15+, up to 64. | Recommends strong passwords (mix of letters, numbers, special characters). |
| Password Complexity | SHALL NOT impose character composition rules. | Recommends a mix of letters, numbers, and special characters. |
| Password Managers | SHOULD allow and encourage use. | Recommends using password managers. |
| MFA | Strongly recommends and often mandates for higher assurance levels. | Emphasises enabling Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA). |
| Blocklists | SHALL check against lists of known compromised passwords. | Recommends checking if accounts appear in data breaches. |