It seems like you're asking me to change my password every x days. I don't think this is a good idea. You're signalling that your authentication and IAM maturity isn't where it should be 1
You don't have to take my word for it.
| Source | Quote |
|---|---|
| NIST 800-63B rev.3 | Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers2 SHALL force a change if there is evidence of compromise of the authenticator. |
| NCSC UK | Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts. |
| NCSC NL | Periodic modification of passwords provides only marginal improvement and in practice leads to easier to guess passwords. The NCSC advises not to impose any restrictions on this. 3 |
| BSI/German Federal Office for Information Security | Regular, unprovoked password changes lead to the use of increasingly weaker passwords. 4 |
| Canadian Centre for Cyber Security | Password aging places a heavy burden on users and can result in users engaging in less secure behaviours (such as writing down passwords and not storing them appropriately). The security value these security controls provide is debatable. Even with a 90-day expiration period, password aging provides an average exploitation window of 45 days. |
| ISO 27002:2022 5.17 | Requiring frequent change of passwords can be problematic because users can get annoyed by the frequent changes, forget new passwords, note them down in unsafe places, or choose unsafe password. |
| OWASP Authentication Cheat Sheet | Ensure credential rotation when a password leak occurs, at the time of compromise identification or when authenticator technology changes. Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable Multifactor Authentication Cheat Sheet (MFA). According to NIST guidelines, verifiers should not mandate arbitrary password changes (e.g., periodically). |
| Password expiration is turned off by default because research has shown little positive impact on security. | |
| Microsoft | Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, reuse passwords, or update old passwords in ways that are easily guessed by hackers. |
This sort of problem has been systematically covered for quite a while now.
On the other side for password expiration.
| Source | Quote |
|---|---|
| CIS Benchmarks Password Policy Guide | Change immediately based on with a one-year expiration “backstop” (annual). 5 |
| PCI DSS v4.0.1 | If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: • Passwords/passphrases are changed at least once every 90 days, OR • The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly. This requirement does not apply to in-scope system components where MFA is used. |
| Multi-Level Protection Scheme (MLPS 2.0)6 | Check whether passwords are periodically changed. |
| Your organisation | Password must be rotated every 90 days |
Research shows 7, 8 password expiry is not beneficial and it is reflected in (some) national guidance and standards.
Unless you're subject to MLPS 2.0, please don't ask me to change my password without a reason.
or at the very best that you're operating in a space where you have to follow conflicting requirements.
In NIST 800-63 parlance "the party to be authenticated is called a claimant and the party verifying that identity is called a verifier"
Using Google Translate from Dutch
Using Google Translate from German
I think this is outdated as CIS Controls v8 don't mention password expiration or rotation
I couldn't find a direct link to MLPS 2.0 so I'm using the Alibaba cloud MLPS compliance checks