Moving Beyond Periodic Password Resets: Smarter Ways to Protect Your Employee Passwords

For decades, organizations have required employees to change their passwords every 90 days. The logic seemed simple, shorten the lifespan of a password and you limit an attacker’s window of opportunity. But research and real-world evidence show that this approach often weakens security instead of strengthening it. That’s why NIST, CISA, the FTC, Microsoft and other leading authorities now recommend retiring periodic password resets in favor of stronger, modern protections.

Why Frequent Password Changes Backfire

When people know they’ll be asked to change passwords every few months, they adapt in ways that make organizations less secure. Including…

• Using Predictable Variations — In one Carnegie Mellon University study, 17% of users’ rotated passwords could be guessed in five attempts or fewer using common tweaks like “Spring2024!” → “Summer2024!” (Carnegie Mellon research).

• Making Weaker Choices — Employees frequently will choose shorter or simpler-to-recall passwords to reduce memorization challenges.

• Coming Up With Workarounds — If change is enforced, employees tend to end up writing passwords down, or they start reusing them across accounts at different providers.

These behaviors create additional risk. Bad actors can anticipate these predictable patterns and exploit them with automated tools. Meanwhile, IT teams absorb higher help-desk loads around password change, with little to no added security benefit.

What the Experts Say

There is now broad consensus among leading security bodies that periodic password resets are no longer a best practice. Instead, experts advise, resets should be driven by evidence of compromise, such as Security Information and Event Management (SIEM) systems, breach reports, and/ or risk intelligence. Here’s what the experts have to say:

• NIST (National Institute of Standards and Technology)
  In SP 800-63B Digital Identity Guidelines, NIST explicitly advises that organizations should not require passwords to be changed arbitrarily (E.G., periodically). Change should only be forced if there is evidence of compromise.

• CISA (Cybersecurity and Infrastructure Security Agency)
  CISA emphasizes using longer, unique and strong passwords, as well as breach monitoring, and MFA instead of relying on periodic resets (CISA ).

• FTC (Federal Trade Commission)
  The FTC’s Chief Technologist argued all the way back in 2016 that mandatory password changes often do more harm than good. Citing research, they warned that forcing frequent resets leads users to pick weaker, predictable passwords and recommended changing only when there’s evidence of compromise (FTC).

• UK’s National Cyber Security Centre (NCSC)
  The NCSC advises against forced expiration, noting it leads to insecure password creation and change strategies and ultimately weaker passwords (NCSC).

• Microsoft
  Lastly, In 2019, Microsoft removed mandatory expiration from Windows security baselines, warning that these policies often backfire—users simply replace one password with a predictable, easily guessable modification (Microsoft).

Taken together, these authorities reinforce one message: organization should make passwords strong and unique, protect them with additional layers like MFA with anti-fatigue strategies such as number matching, and only require change as necessary.

What Works Better

Instead of relying on a calendar to force password change, modern password security principles emphasize:

• Using Long Passphrases — 14+ characters, E.G. unrelated words.

• Screening for Breaches — Block passwords that appear in known compromised lists or are material to your organization (things like company names, addresses, divisions, etc…)

• Enforcing Multi-Factor Authentication (MFA) — Ensures a breached password alone won’t grant access.

• Using Password Managers — Helps reduce password reuse, improves password complexity and alerts security teams to possible compromise.

• Using Modern Authentication Methods — Explore adopting technology like passkeys and FIDO2 hardware keys where supported.

• Resets Should be Event-driven — Require password changes after confirmed breach reports, suspicious activity, or intelligence-based triggers.

Playing Devil’s Advocate: Should Employees Ever Change Their Passwords?

• Does this mean employees should never change their passwords?
  No, password changes are still necessary if there’s reason to believe a password has been compromised.

• Should we allow a password to live on indefinitely without change?
  No, not if it wasn’t created under today’s standards. Very old credentials may lack the length and uniqueness required for modern resilience. A multi-year review can help phase out legacy weaknesses.

• If change isn’t recommended every 90 days, is there a recommended cadence?
  There’s no universal time frame. Best practice is that change should be event-driven. E.G. Reset after a confirmed breach, exposure in dark web scans, or suspicious login activity. Many organizations also perform hygiene reviews every 2–3 years to ensure legacy credentials are identified and retired.

• What about MFA fatigue? Isn’t MFA being routinely bypassed now?
  It’s true that attackers have begun exploiting Multi-Factor Authentication by bombarding users with repeated push notifications until they accidentally approve one (a practice known as MFA Fatigue), however, modern MFA policies and proper training help close this gap:

  • Number matching requires users to confirm a code shown on the login screen, eliminating “approve fatigue.”

  • Context-aware MFA alerts users to suspicious attempts by showing the device and location of the login.

  • User training ensures employees know to deny unexpected requests.

How InnerCircle Can Help Strengthen Your Organizations Security

At InnerCircle, we go beyond outdated password reset policies to deliver layered security that truly protects your organization. Our security packages, including, Secure Core, Secure Core Plus, Secure Edge and Active Arc offerings incorporate important protetions and controls such as phishing simulations, user awareness training, and policy support to reinforce the right behaviors. That said, eliminating outdated password reset policies shouldn’t mean lowering defenses. At InnerCircle, we help design and build layered security programs that reduce reliance on “password reset policies” alone. Our cybersecuirty bundles include key protections as outlined below:

• Secure Core (all customers): Advanced email filtering, phishing testing, user training, managed detection and response, and extra protection for privileged accounts.

• Secure Edge: Password management tools, dark web monitoring for early threat detection, and secure web access controls.

• Secure Core Plus: 24/7 threat monitoring and response, endpoint and cloud vulnerability detection, and Security Information and Event Management (SIEM) powered deep security insights.

• Active Arc: Cybersecurity maturity assessments, policy and compliance support, and targeted external due diligence.

Our holistic approach ensures strong defenses and swift response to any password compromise, allowing you to retire old policies like mandatory 90-day resets without sacrificing security or compliance.

The Bottom Line

Forced password changes should be a relic of the past. The modern approach is clear, organizations should rely on layered defenses, not calendar reminders. Protections should include:

• Using long, unique passphrases.

• Protecting credentials with MFA (enhancing with techniques like number matching and training).

• Monitoring for breaches and responding to real events.

InnerCircle helps organizations implement these best practices while aligning with both industry best practices and compliance requirements. Our team can help ensure your organization stays secure without unnecessary complexity.

Talk to InnerCircle today about updating your cybersecurity policies and protections and see how we can help strengthen your overall security posture.