Stop Rotating Passwords: Why We Dropped the “Every 90 Days” Rule from Our Pentest Reports
For years, security checklists treated forced password expiry as gospel. Every 30, 60 or 90 days users had to dream up a fresh string of symbols and digits—or face the lock‑out screen. Today, the leading standards bodies agree: that rule is counter‑productive, and we’ve removed it from all web‑application findings in our penetration‑testing reports.
What Changed?
| Old Thinking | New Evidence‑Based Guidance |
|---|---|
| Frequent password changes limit the window in which a stolen password is useful. | Attackers rarely wait months to use a stolen credential; meanwhile self‑imposed resets push honest users toward patterns like Winter2025!, which are trivial to guess. |
| Periodic resets assume users can remember fresh, strong secrets without fallback. | Users often recycle tweaks (e.g., “Password1!” → “Password2!”) or store credentials insecurely, undermining password strength and security. |
| Forced expiry reduces the attack window. | Modern breach notification services and multi‑factor authentication shrink the effective window without imposing user friction. |
| A uniform policy is easier for admins to enforce. | Risk‑based policies informed by anomaly detection and breach feeds target resets only where compromise is likely, optimizing security efforts. |
Key Standards
- NIST 800‑63B explicitly says verifiers “SHOULD NOT require memorized secrets to be changed arbitrarily.” (NIST Pages)
- The UK National Cyber Security Centre (NCSC) warns that forced expiry “harms rather than improves security.” (NCSC)
- Microsoft dropped password‑expiration policies from its Windows security baseline, calling them low‑value compared with MFA and breach monitoring. (Tech Community)
Why We Killed Password Rotation Findings
During web‑app pentests, we used to flag “Password must expire every X days” when the setting was missing. That recommendation is now gone. Here’s why:
- Real‑world behavior beats theory. Users respond to constant resets by recycling tweaks (“Password1!” → “Password2!”) or writing passwords down.
- Modern controls outperform it. Multi‑factor authentication, breach‑alerting APIs, and passkeys cut the risk far more effectively.
- Standards alignment. Our clients benchmark against NIST, ISO 27001, SOC 2, and CIS; none mandate periodic resets anymore unless a compromise is suspected.
What We Recommend Instead
- One long, unique passphrase per account – four or five random words are plenty.
- Turn on MFA or, better, move to passkeys/FIDO2 where the password disappears entirely.
- Watch for compromise: integrate “have ibeenpwned” or similar breach feeds and force a reset only if a credential leaks or suspicious activity spikes.
- Use a password manager, our choice is Bitwarden so staff never reuse secrets across systems.
- Review shared/service accounts yearly; if they can’t use MFA, schedule a manual change.
The Bottom Line for CISOs
Mandatory expiry made sense when passwords were the sole line of defense. In 2025 it is a relic that drains productivity and weakens security posture. By aligning your policies with NIST, NCSC, and Microsoft—and by embracing MFA and passkeys—you gain stronger protection and happier users.
We’ll keep rooting out real vulnerabilities during your next penetration test—but you won’t see “30‑day password rotation” on the action list again.
Anna Shreder
Anna is a security researcher at Sayfer. She’s passionate about understanding and researching attacking and defending vectors that appear in new emerging technologies.
Want to Hear More?
A free consulting meeting included.
