Unpopular opinion: password rotation policies are actually making things worse

My IT guy at work keeps pushing this policy where we have to change our passwords every 60 days. He says it's standard practice and keeps the hackers out. But after 3 years of this, I keep ending up with passwords like "Winter2024!" or "Fall2023Update" because I can't remember a new complex one every 2 months. I actually ended up writing my password on a sticky note under my keyboard last month, which feels way less secure than just keeping a good one. A buddy of mine in a different company said their security team ditched forced rotations and just uses multi-factor auth instead. So is the old advice about changing passwords constantly actually hurting us by making people lazy with their habits? Has anyone else's workplace had this debate?

1 comments

1 Comment

alexlewis1h ago

Nah, that's not quite right about your buddy's company. Most places that ditch forced rotations still enforce a minimum password age. They just stopped the 60 day reset because modern research shows it backfired. MFA is great but it's not a replacement for unique passwords, it's an extra layer on top. Companies still want you to have separate passwords for different things even if they don't make you change them every 2 months. Your IT guy is following old NIST guidance from 2017 that basically everyone updated after realizing it made things worse. The real fix is longer passphrases with MFA, not constant resets.