Strong Passwords: The Problem with Rotation
Author: HollyGraceful Published: 10 June 2021 Last Updated: 09 November 2022
Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as Password1, Password2, Password3, or patterns such as Summer2021, Autumn2021, Winter2021.
Both the US National Institute of Standards and Technology (NIST) and The UK National Cyber Security Centre (NCSC) now advise against password rotation. However, some compliance requirements still require it, such as PCI DSS 3.2.1 requirement 8.2.4 which requires passwords be changed every 90 days.
Update: PCI DSS 4.0 has been released, and requirement 8.3.9 now states: "If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: Passwords/passphrases are changed at least once every 90 days, OR the security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly." – Which seems to be leaning in the direction of encouraging the use of multi-factor authentication (MFA) or a Zero Trust Architecture.
Unless mandated by a compliance requirement, it is recommended that password ageing is disabled.
Password Expiration can be disabled within Group Policy in the following location:
Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy
Valid options are 0 to 999 and expiration can be disabled by setting this value to 0.