Password Expiration is Security Theater

Cybersecurity experts abandoned password expiration years ago. So why do so many organizations force you to change your password every few months?

Dec 02, 2025

The day before I was to give a presentation on authentication and cybersecurity, I opened my inbox and saw a familiar message:

“Upcoming password expiry”, the subject line read. I had less than 24 hours to change my password to avoid being locked out of this organization’s email account.

Not because my password had been leaked, or due to suspicious activity. Rather, an arbitrary number of days had passed since I last changed it.

I stared at the message and, chronic procrastinator that I am, failed to act on it. When I pulled out my computer the next afternoon, I was locked out of not only my email account but also the organization’s Wi-Fi network.

I had to use my phone’s hotspot feature to connect to the internet so I could change my password.

As I gazed upon the password reset screen, I pondered all the ways people usually deal with these annoyances. Many people take their current password and add a symbol or change a number, then try to remember it for three months until the next forced reset.

This isn’t good practice, but it is predictable human behavior. Most of us get these expiration messages and don’t think twice. We increase the number in our password by one, or add an additional exclamation mark.

It’s a small, annoying disruption.

But the reality is that these types of password policies are unnecessary. They don’t just inconvenience people, they quietly train us to behave in ways that make our passwords more predictable, not less.

How We Got Stuck With These Rules

On the surface, password policies like forced resets and complexity requirements make sense. Making passwords more complicated feels like a logical way to make everything safer.

And twenty years ago, that logic wasn’t completely wrong. Most of us had only a handful of digital accounts at that time: work and personal email accounts, online banking, and our Netflix DVD queue.

Security systems were built for a world where remembering a few complex passwords felt manageable, and the internet wasn’t the central nervous system of your life.

But the world has changed, and password policies largely haven’t. Today, many of us manage dozens or even hundreds of accounts, including:

Work systems
School portals
Government logins
Medical records
Online shopping
Social media
Smart home devices
Streaming sites

Passwords used to be an occasional inconvenience. Now, they are part of the infrastructure of modern existence. Yet many organizations still treat authentication as if users only need to juggle a few secret codes in their head.

From an institutional perspective, these rules may “look” good. Complexity requirements feel measurable, expiration policies look proactive, and they’re both easy to explain to auditors and leadership.

But what this approach misunderstands is that security isn’t just a technology problem: it’s a human behavior problem. Forcing changes and having arbitrary complexity requirements inevitably pushes people toward predictable shortcuts and workarounds.

The Workarounds We All Use

When security rules ignore how people actually behave, folks don’t suddenly become more disciplined; they become more strategic.

That’s how password workarounds were born.

Complexity requirements don’t create stronger passwords, they create predictable ones. Many people use a capital letter at the beginning and a number and exclamation mark at the end. When forced to do a periodic reset, that password becomes part of a series:

Password1! ➡️ Password2! ➡️ Password3!

The next big issue with this is password reuse. When you manage dozens or potentially hundreds of accounts, remembering unique complex passwords for all of those without assistance is unrealistic.

So people reuse their passwords. Or create predictable variations. Or write them down on sticky notes.

Studies consistently show that around 70% of people reuse passwords, often across both personal and professional accounts.1 Even more concerning, 80% of data breaches involve stolen or weak passwords.2

Attackers don’t guess passwords one-by-one, of course. They use massive breach databases and automated tools to try leaked credentials everywhere. Reuse can easily turn one breach into a dozen.

This isn’t a story about people failing at security, it’s a story about security policies failing people. When rules create too much friction, they don’t produce safer behavior. They produce predictable behavior… and that predictability is exactly what attackers rely on.

The New Best Practices for Password Security

Here’s the part that surprises most people: the cybersecurity world has largely admitted that it got the old password model wrong.

Major organizations have completely rewritten their guidance because the research is clear: forcing people into complexity rules and constant resets doesn’t make systems safer.3 It mostly just annoys everyone.

The biggest shift came from the National Institute of Standards and Technology, a U.S. government agency that sets baseline rules for modern authentication standards that are followed by other government agencies and contractors.

In 2017, NIST updated their guidance to explicitly recommend against routine password expiration and special character requirements.4

Instead, they tell organizations to let people use long, memorable passphrases, like “banana window river cotton.” These are easier to recall and much harder for attackers to crack.

NIST also recommends screening new passwords against breach databases. If attackers already have it, IT systems shouldn’t allow it.

This one change does more for security than decades of adding “!” to the end of passwords has ever done. Pair these policies with multi-factor authentication and you have the most effective cyber defense available.

Why Institutions Haven’t Caught Up

If cybersecurity experts have moved on, why are so many workplaces still stuck with password rules from when George W. Bush was president?

In addition to institutional momentum, old policies persist largely because leaders worry that “loosening” password rules will look like decreasing security, and IT teams hesitate to challenge longstanding standards because, if something goes wrong, nobody wants to be the person that “weakened” protection.

Some auditors and regulatory agencies also still favor expiration despite the evidence, ironically making the entities they oversee less secure. So the outdated policies remain in effect, not because they work, but because they’re familiar.

However, even if the institutions around us move slowly, regular people don’t have to stay stuck. You can do a few things to make your accounts more secure, even in environments with outdated rules:

Switch to passphrases where possible.
Use a password manager to safely store unique passwords for all of your accounts. Some will even alert you if your passwords or email address turn up in a leak.
Turn on multi-factor authentication on every account.

You could even try forwarding this article to your IT department, but I can’t guarantee they’ll take it to heart (for what it’s worth, I’m not just a random guy on the internet… I’m a random guy on the internet with a CompTIA Security+ cybersecurity certification5).

Ultimately, if we want real security, we have to design systems around human behavior, not against it. There’s no need to change a password that hasn’t been compromised in a breach, and requiring us to do so makes it harder for everyone and, ultimately, easier to undermine.

https://spycloud.com/blog/password-reuse/

https://www.lastpass.com/-/media/cd40d79ac0324dfa857b7942f0e0e080.pdf

https://users.ece.cmu.edu/~lbauer/papers/2018/soups2018-expiration.pdf

https://pages.nist.gov/800-63-3/sp800-63b.html

https://www.credly.com/badges/49d22f76-daca-409a-b7b2-d95a309b7ee9/public_url

How Important

Discussion about this post

Ready for more?