For as long as I can remember, we’ve been told that “Security Best Practice” requires us to reset our passwords on a frequent basis.

It seems to make sense. By changing our password on a frequent basis, it means each password is only valid for a specific length of time. So, if a cyber criminal gets their hands on it, they only have a limited time to use it before it gets reset.

To align to this ‘Best Practice’, many organisations still apply a password expiry policy of 90 days, forcing their staff to set a new password each time.

So what?

The dirty little secret of the security world is that we always knew ‘Best Practice’ was ‘Not Followed in Practice’.

Expecting a human to set a unique and complex password for every login account every 90 days was never going to be sustainable (or should I say $ust8inAble?).

To remember these passwords, humans would ignore plenty of other ‘Security Best Practices” and:

  • Write the password down
  • Reuse the same password across multiple systems
  • Change one character in their password, or add a number to the end of the previous password, so they can remember it.

So what can you do?

You may not have heard the good news: ‘Best Practice’ has now caught up with reality.

It is now accepted by those who define “Security Best Practice” (e.g. NIST) that forcing password resets only causes many unintended and unwelcome consequences.

The guidance is now clear* – Organisations should not force staff to frequently change their passwords unless there is an indication that a cyber criminal may have got their hands on the password.

If your organisation is still forcing regular password resets, stop changing your passwords – it’s time to change your policy.



* Before we all go and turn off automatic password expiry, there are other elements in the latest guidance – e.g. 

  • Requiring staff to use a long password rather than a complex one
  • Providing a password manager so people no longer need to remember lots of passwords
  • Enforcing the use of Multi-Factor Authentication so the password is not as important

For more information on the latest NIST guidelines, Netwrix has a great blog post at