For the millionth time, we don’t have to change passwords every 90 days

Posted on Wednesday, Mar 29, 2023 by Chris Hayner

Featured in this episode of Chaos Lever

Another day, another breathless breakdown of how bad password change mandates are to overall IT security. Look: I get it. When the company was first online in the 90’s, Alan decided that we all have to change our passwords every 3 months. It’s safer, right? This way if your password gets lost it can only be a problem for a finite amount of weeks.

But guys. We’ve been over this. That’s dumb. It was the 90’s! That was THIRTY YEARS AGO. That’s when Starfox came out for the Super Nintendo! And Alan doesn’t even work here anymore!!!

NIST hasn’t recommended a password rotation schedule as best practice since 2017. Mandated password changes unambiguously lead to weaker passwords, and it’s annoying to users. Admittedly, a lot of these pains should be ameliorated by password managers, but that doesn’t help when you’re talking about the password you type to login to your computer every day.

Passwordless solutions like Windows Hello will help a lot in this area, but back to the point. Scheduled password changes are dumb and counterproductive. Stop mandating them.