The school I teach at insists we change our password every 30 days. For several years this was not the case and I had a very long, difficult to guess password. Now that we are having to change them every 30 days I am now using a much weaker and shorter password.
Our work accounts are linked to Office 365 for email, document sharing, etc. However, we use two factor authentication on the remote systems. Yet like @ryanjamurphy we still have to change the password every 30 days.
My employer and one of our biggest customers both require me to do that (every 90 days), but even NIST (which introduced this âbest practiceâ in 2004) now recommends against this:
The article lists a few good reasons to change a password (but just the passing of time is not one of them):
- When weak or reused passwords are identified and need to be replaced with strong, unique passwords.
- When there is evidence to suggest a password has been compromised â for example, if it appears on a data breach list.
- When employees who have access to a shared password leave or work on remote systems which do not log shared password usage.
Quantum computing might indeed (one day) be a gamer changer.
But for now I make sure my passwords are strong from the start and I donât feel the need to change them every now and then.
My experience across many different organisations, including universities is that this is still very common.
I put it down to two things:
- Itâs aimed at the significant number of users that use insecure passwords - I still think itâs a minority that take any care over this
- IT departments are slow to change procedures, too easily bound by âthatâs the way weâve always done itâ and convinced that users are stupid and lazy and therefore need to be kept on a very short lead.
I use 3-5 word passphrases by choice - but I have yet to work in an organisation that accepts spaces or that doesnât mandate (repeat after me) âAt least one upper case character and at least one numberâ
I agree with Glenn, and I believe passwords need not be changed given the following is practiced:
Glennâs reasoning follows from these, and the two points are not apparent in the article title.
Instead of spending time changing passwords (which is an exercise covering hundreds of sites), Iâd rather spend the time on other things e.g. reviewing my online profiles/plugins periodically and removing/revoking permissions to those I no longer use. (And of course, one can argue that saving time is saving lives/avoiding harm: after all, wasting time is akin to killing oneself slowly.)
For personal use case, I think mostly everybody is safe by using unique strong passwords combined with 2FA, and there is no need to change the password ever unless there is some kind of breach on the affected service.
For corporate accounts we are out of luck and have to come up with new passwords every couple of months due to obsolete security governance procedures, itâs terrible.
Usually happens on corporate systems. This makes me cringe when I put a strong password and the system refuses because it does not exactly match their preset weaker rules. Although itâs atrocious, itâs the lesser evil from a security perspective as itâs better to alienate your bunch of security savvy users than having most employees use absolutely stupid, guessable passwords. And if you strengthen the rules then you have your own users request help from Helpdesk because they forgot their credentials, if they did not use a post-it note on their monitor to remember it.
My experience may be different from others -
Youâre right. What does it take to perform SIM-doubling? I guess it needs to be a more targeted attack including social engineering with the mobile carrier, right? But when thinking of targeted attacks, I can easily be targeted on the street near any ATM or when coming back home.
My bank does allow 20 character passwords and requires upper, lower, and numerical. But it only offers SMS 2FA. SMS is better than nothing, but just barely. We desperately need a secure replacement.
Iâve visited an ATM once since the pandemic began but still havenât used any cash.
I was wondering about this, now that 1Password and Fastmail partnered on âMasked Emailâ.
What do others think about this?
I have a few private domains and use one to create unique email addresses for each new account I create. Now instead of using my original gmail address for all my routine accounts (which I did for years) I have logons like paramount@mydomain.ext or netflix@mydomain.ext, etc.
The advantage of this is the ability to turn off an address if it starts being abused (instead of relying on a spam filter). Or in the case of streaming services, etc. that I only use occasionally, I can easily filter out the âplease come backâ special offers they send went Iâm not paying them.
If I were a fastmail user I would definitely consider using this.
Best practice advice was changed a few years ago. Changing passwords regularly encourages people to choose weaker more memorable password.
So unless you believe your password to be compromised. donât change it.
Use strong passwords and where possible Multi Factor authentication.
Of course making people constantly change their password - to the average person - actively encourages them to use weak passwords, re-use old passwords, etc.
Those admin people concerned about those weak passwords could always just compare the password youâre trying to set with a database like the one at HaveIBeenPwnd and see if itâs in there. If not, reject it. 
Because it takes a considerable amount of time if youâre doing it on a number of websites. Because changing it doesnât provide any inherent benefit. Because from a tracking standpoint, it introduces another point of failure into your password management. AndâŚ
If the tech companies are storing your password in plain text, changing it doesnât matter in practicality. The employees at that company can already access your password - and thatâs a far bigger security issue than a breach.
If theyâre not storing your password in plain text, breaches donât matter from a practical standpoint if you have a strong password. See my longer comments above.
And in any case, if they got your password for a given site theyâd have your password for that site - not any other Internet account passwords.
Agree 100% with that list. And nothing on that list really applies to somebody thatâs using software like 1Password and generating good passwords for all of their logins.
But I think best practices will be determined after the fact, not preemptively. For example, if quantum computing lets hackers rip through 70,000 hashes of 50-character 1Password âgibberishâ passwords and extract them in real time, changing your password to another 50-character 1Password âgibberishâ password - thatâs then hashed by the same algorithms - will have zero effect in practicality.
Thatâs not a good reason to spend a ton of time constantly rotating passwords now.
How important do you think this actually is, as long as somebody uses different passwords for everything? To me the main benefit would be that it doesnât allow other metadata to be tied, and wouldnât actually have much to do with security.
Out of curiosity, which financial institutions are still only allowing 10 characters? Iâd be very tempted to put my money somewhere else if at all possible.
Too many websites still limit password lengths to either 8, 10 or 16 characters. Itâs so bizarre.
I donât disagree, but sometimes an organization has no choice. At my last company we took credit cards and several years ago all the major credit card companies formed the Payment Card Industry. From that point on we had to comply with all their requirements including requiring passwords be changed every 90 days in order to accept credit cards for payment. Fun times.
BTW, they require password must be at least seven characters long 
Yes, I agree that the main benefit stems from difficulty in linking the login to other metadata. It may provide some benefit if the email is the login ID - another additional point to crack (assuming the hacker does not already have the information); and I can easily identify the source of spam/phishing emails and shut it down.
I am really fascinated by this point (and also mentioned by others above, I think) - unintended consequences in policy design.
Itâs a function of the fact that most people donât use password managers - they use the same passwords over and over.
âCome up with one really good passwordâ isnât all that hard for most people. âItâs been 60 days - come up with another good passwordâ - that one is harder. And once theyâre asked for the fifth or sixth time, itâs something like their dogâs name followed by â123â, followed by an exclamation point or a question mark.
It also leads to passwords being written on post-it notes on their computers, and text files on the desktop called âPasswordsâ with the passwords they use.
itâs a while since I dealt with PCI. iâd forgotten about that.