Passwords – Do you know that age requirements do more harm than good?

Minimum password age and maximum password age rules are not useful and do more harm than good. Passwords are already difficult to manage, and forcing people to change them at specific times encourages poor password practices, such as using well-known transforms and substitutions, or writing them down.

Research shows that these negative effects don’t yield any benefit. To illustrate why, imagine a password policy that forces a change every 30 days (or worse, 90 days). The logic behind this is to mitigate the effect of a compromised password, meaning that if someone does gain your password, they can only use it for a maximum of 30 days before it is no longer valid.

There are 2 key problems with this logic. The first is that a lot of damage can be done in 30 days. The second is that attackers generally become aware immediately that they have a working password, and the research tells us that to have the desired effect, a user would have to change their password every 8 milliseconds. Anything longer than that is ineffective.