Why your enterprise should not require mandatory, 90-day password resets

Published on July 28, 2020

According to the most recent version of the NIST cybersecurity framework, it’s no longer advisable to mandate periodic password resets. For years now, thought leaders in the space, including Lorrie Cranor, the former chief technologist at the FTC, have been arguing that mandatory password resets are counterproductive to password security. Back in 2015, a quantitative study from Sonia Chiasson and Paul van Oorschot, two scholars at Carleton University’s School of Computer Science, found that forcing employees to do password resets resulted in “questionable benefits.”

The general rule of thumb in 2020 is that you only need to force employees to change their passwords if there has been evidence of a breach, and large enterprises are taking note. The official line from Microsoft is: “If a password is never stolen, there is no need to expire it.” That said, the Seattle-based tech giant recommends that enterprises use two-factor authentication (2FA), while also enforcing banned password lists and requiring employees to use passwords of a certain complexity, length, and history. As long as these protections are in place, there is no need to mandate periodic password changes. In fact, requiring password resets can make your network less safe.

Employees create similar passwords and rely on Post-it Notes
To begin with, the average business user has an average of 191 passwords. With so many passwords to remember, employees tend to create similar passwords when they’re forced to change their existing passwords. This, in and of itself, is dangerous, especially if there has been a breach in the past. Moreover, frequent mandatory resets cause some employees to resort to writing passwords on Post-it Notes at their workstations.

It causes employee downtime and places an undue burden on service desks
To be sure, there are monetary consequences associated with mandatory password resets, as employees aren’t able to work while they wait for a system administrator to assist them. According to a 2018 Forrester report, the average cost of a password reset is $70.

As Cameron Covert, Zoho director of US events, explains, “The whole time you’re trying to figure it out, you’re not working. At a minimum, you’re looking at downtime of at least thirty minutes.”

Password resets become especially frustrating for employees who work from home. Covert laments, “When you forget your password, you have to call your sys admin. And lot of employees don’t know what their sys admin’s phone number is. Plus, you can’t get on your internal chat tool—be it Cliq or Slack or Google Chat—so you can’t message your support team. It’s a headache, especially if you’re working from home.”

Weakening employee morale
Employees find frequent password resets to be a nuisance. Tom Phillips, Zoho operations manager says, “I understand the reason for [mandatory password resets], I guess, but selfishly as a user, it’s very annoying. Also, I put all my passwords in a sheet, so if somebody gets their hands on that sheet, they can ransack my identity. All bets are off at that point.”

Although the NIST framework now suggests that mandatory resets are unnecessary, it’s important to point out an important caveat: passwords are here to stay for the foreseeable future. This is true, even though 81% of hacking breaches are due to compromised passwords. Passwords are arguably superior to biometric information because unlike biometric data, passwords are either completely right or completely wrong.

Biometric information that is partially correct can sometimes unlock accounts; for example, studies have shown that some children’s faces are similar enough to unlock their parents’ accounts. Also, there have been several cases of stolen fingerprint data, and once this biometric information is stolen, it can’t be undone.

As Microsoft’s new password policy makes clear, multi-factor authentication is key, and passwords should always be of a certain length and complexity. While it’s wise to discontinue mandatory password resets, it is also important that enterprises bolster their account security in other ways.

Tools that facilitate mobile device management, privileged access management, and remote password resetting can strengthen your enterprise’s password security. Also, log monitoring tools can be put into place, ensuring that any anomalous activity is detected in time. The bottom line is—you should feel free to abolish mandatory password resets, but don’t neglect your other password security initiatives.

Join the Conversation

1 Comment

Your email address will not be published. Required fields are marked *

2 × two =

  1. Have been long arguing to stop mandatory password resets. This study helps go a long way in making the fraternity understand that the pain costs and the risks of mandatory password resets are much higher than no resets except in case of breach or unexplained anomalous behaviour


As the world moves away from manual, labor-intensive processes, companies are increasingly relying on artificial intelligence to streamline operations. From forecast engines and conversational assistants to anomaly detection and behavior analysis, AI capabilities have been progressing in leaps and bounds in the last few years.
Digital transformation can be a complex process requiring various stakeholders—leadership, partners, and employees—to be on the same page while ensuring the transformation enhances business value. However, despite its growing popularity, many businesses are still unsure what exactly digital transformation entails. Dive in for our take on everything DX.
As the world of cyberthreats becomes increasingly sophisticated, organizations need to develop a multi-pronged defense strategy that includes various layers of protection spread across networks, hardware, programs, and data. The people, processes, and technology in an organization need to come together in order to create an infallible security program.
A platform for industry experts and thought leaders to share their expertise on how technology is sharing various aspect of their industry.
As we move into an era of information explosion, mounting concerns regarding data privacy have given rise to groundbreaking regulations. Adhering to privacy regulations, such as the GDPR and the CCPA, not only ensures compliance, but can also help an organization develop solid data security policies and prevent breaches.