Is it time to STOP expiring passwords?

Picture the scene: You’ve just been on a wonderful vacation it’s been a great time to relax and do something you love, but now you are walking into your place of work.

Waiting for you is a mountain of emails and you want to get right to it.

You take out your iPad, Android tablet or open up your laptop and turn it on.

Then it hits you, those words you dread: “Your password has expired”.

Today is the last day you want to be changing your password. You’ve got enough to think about, but you have little choice. You wonder whether you should have reset your password before you went on vacation but you’re not sure that would have made any difference.

After fighting with the complicated set of rules that define what your password can be, you eventually pick a new one. For the rest of the day, and the next few, you try to remember to type the new password rather than the old one. I characterise this as The Four Ages of Remembering a New Password.

Recently, the UK governments IT security advisor, the CESG, reiterated and gave further explanation for advice it gave in September 2015:

Regular password expiry is a common requirement in many security policies. However, in CESG’s Password Guidance published in 2015, we explicitly advised against it.

(Read more: The problems with forcing regular password expiry)

Scheduled password expiry has been a dogma of enterprise IT security for many decades. It’s so embedded into the fabric of the IT landscape that it sounds scandalous for an organization as esteemed as the CESG to challenge it, but challenge it they have.

The argument that they make, in summary, is that the “usability costs” of regular password changes makes people adopt mechanisms to cope with the changes that themselves lead to other security vulnerabilities:

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.

The CESG isn’t recommending that organizations don’t worry about password vulnerabilities; they are recommending that organizations use other measures that do not involve scheduled password expiry and have a lower “usability cost.” They are proposing measures that they believe match better to the modern vulnerabilities that passwords experience.

The following diagram highlights what they believe are the vulnerabilities and the measures:

Speaking as someone whose core skills are in the workplace and productivity arena (with a lot of experience working with customers who are very security conscious though not as a security expert), these approaches make far more sense than password expiry. Whilst the approach of regular password expiry is embedded in corporate IT, it isn’t in places where you might expect it to be if it were such a good approach.

My bank doesn’t ask me to change my password regularly; it makes sure that I have a complicated password that I can understand by making me use a password and a pin. For sensitive transactions, it makes me use two-factor authentication. Amazon doesn’t make me change my password regularly. When I log on to twitter from a new device, it sends me a message to let me know and to confirm that it’s really me. All of these approaches have a far lower “usability cost” than the regular password change, and it’s those approaches that the CESG is advising UK government organisations to adopt.

It really is time to stop regular password expiry.

(I thought I would explain how I come to know about this advice. Firstly, I saw it back in September when the CESG published it because it was shown on their twitter feed. However, being a busy man, I forgot all about it. Then the other day Chris Swan and Stuart Downes highlighted the reiteration of the advice on their twitter.)

Graham Chastney Graham Chastney is a DXC technologist. He has worked in the arena of workplace technology for over 25 years, starting as a sysprog supporting IBM DISOSS and DEC All-in-1. Latterly Graham has been working with DXC customers to help them understand how they can exploit the changing world of workplace technology. Graham lives with his family in the United Kingdom.


  1. I couldn’t agree more – this is a typical example of something which technically sounds like a good idea on paper, not working in the real world. In reality I suspect most people (where system policies allow it) just add a number to their password each time, so Password1, Password2 etc…. either that or they end up writing it down or saving it in a Notepad doc or something, which makes it less secure than a really secure password they can actually memorise.

    Much better to forget password expiry and implement a much more all-round security policy, including holistic detection and perhaps also Two-Factor authentication by sending an SMS with a web provider like Telecoms Cloud.

  2. Liz Sawyer says:

    Great point. It seems timely to look into evidence which illustrates amount of increased Risk for reduced IT costs.

  3. Dave Rideout says:

    Oh wait and it gets better, I have all my accounts in a password manager which does not have a password expiration policy and also allows you to use simple passwords. Actually mine uses 2fa, but you get the idea… 🙂

  4. Good article (and I appreciate it’s a few years old, Nick Selby’s recent article prompted me to read this), do you know of any UK enterprises that have adopted this practice? I note that NCSC and CPNI both still force password rotation on their portals so I’m still a bit dubious of advice given by NCSC..

    • I know of a number of organisations moving that way. The real challenge is how you transform. Password changes are so entrained in so many systems that it can’t all be changed quickly, and in some cases it can’t be changed without significant code changes.

      • I think we’d have no issue with our core systems, the resistance I have received was cultural rather than technical. my proposal was to start with standard users on AD first and slowly spread out from there, apply enhanced monitoring on failed password attempts, only allow passwords not found in Troy Hunt’s password list etc etc. I think it’s a great approach, I have always felt rotation to be a weak control but even now with official guidance pushing us that way we’re still not ready to take the plunge, it seems.

      • Cultural changes require so much more effort than technical ones. I find it’s very difficult to argue with cultural road blocks.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.