T
2

I still think password resets every 90 days are worse than nothing

Back in 2019 at my old job in Portland we switched from 90 day resets to never expiring passwords, and the help desk tickets for lockouts dropped by about 60 percent. Has anyone else seen a security team actually admit that forced resets just make people write passwords on sticky notes?
2 comments

Log in to join the discussion

Log In
2 Comments
grant.parker
Isn't the real issue less about the reset policy itself and more about how people are trained to manage passwords? I've seen plenty of sticky notes in my time, but that usually happens when passwords are too long or complicated, not just because they expire. A 90 day reset combined with a solid password manager and basic security awareness can work pretty well. The problem is most companies skip the training part and just force the reset, then blame users when they cheat. NIST actually backed off the 90 day rule a few years back for this very reason. But I still think a shorter reset period makes sense for systems with sensitive data, especially if you're not using two factor authentication.
4
harper_singh18
Does training ever actually fix users ignoring expired passwords?
4