Published on Jul 18, 2018

To change or not to change passwords

A lot discussion has been taken last few years regarding whether it is wise or not to enforce company security policy by enforcing password rotation (usually) every 3 months.

Camp #1 shouts "Yes, it's the right way, because people will never use strong passwords and their accounts is easy to guess."

Opposite camp #2 shouts "No, it's wrong, because it becomes impossible to remember strong passwords in a time - so people are forced to write it down somewhere .. security compromised!"

I've experience with both sides - hacked accounts due to silly weak passwords, but also got frustrated from regular changing passwords in corporate applications.

After all, I figured out best compromise - and I believe this should be generally the right way to apply security policy:

  1. use tool to measure properly password strength (see the list bellow)

  2. for STRONG passwords offer the possibility to extend rotation interval from default 3 months, to optionally 6-9-12-24-OFF months (yes, including turning rotation off). User should be advised about security risks and disabling password rotation should be confirmed twice.

  3. for passwords of MIDDLE STRENGTH, allow extending rotation period from default 3 months to also 6-9-12 months. Don't allow disabling password rotation.

  4. weak passwords should not be accepted, of course.

I believe when the password is like "my1superSecureTIP-TOP:password!" there is no reasong to enforce changing it in 3 months again, it just becomes contraproductive.

Here's list of few libraries for measuring password strength:

And a few links to what has been written on the topic by renowned authorities:

Got a question?

Professional development of web applications and custom solutions. Consultancy services.