Strong Passwords: The Problem with Rotation

Author: HollyGraceful    Published: 10 June 2021

Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as `Password1`, `Password2`, `Password3`, or patterns such as `Summer 2021`, `Autumn 2021`, `Winter 2021`.

Both the US National Institute of Standards and Technology (NIST) and The UK National Cyber Security Centre (NCSC) now advises against password rotation. However, some compliance requirements still require it, such as PCI DSS 3.2.1 requirement 8.2.4 which requires passwords be changed every 90 days.

Unless mandated by a compliance requirement, it is recommended that password ageing is `disabled`.

Password Expiration can be disabled within Group Policy in the following location:

`Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy`

Valid options are `0 to 999` and expiration can be disabled by setting this value to `0`.