by I previously posted a defense of password expiration on this blog. Since that time, my perspective has changed and I no longer consider password expiration to be a useful security measure. Here is my reasoning, reposted from my current blog:
Password Expiration
One common bit of advice with respect to security is to require frequent password changes. This "best practice" has persisted for decades despite some prominent criticism. But, is password expiration actually helpful or not?
Are there benefits?
Password expiration has a negligible effect on limiting or preventing malicious behavior. The ability to steal passwords often implies privileged access to your systems or network. If the attacker has administrator rights, access to the password database or the ability to sniff traffic on your network, he can install a backdoor or continuously steal passwords in order to avoid the expiration window. That’s assuming he even needs continued access to accomplish his goal. If the attacker only needs short-term access, which is often the case, password expiration is irrelevant.
In what circumstances will expiring an account password actually stop an attacker? What threat model does password expiration protect against? One possibility is that attacker wants to steal credentials so that he can resell them (e.g. passwords from a banking website). With a short expiration (e.g. 60 days), the value of the passwords would depreciate quickly and some of the passwords might expire before the buyer is able to make use of them. But, this assumes some disorganization on the part of the buyer or seller. If the seller is able to pass the data on quickly and the seller is organized and ready, the expiration will have a very minimal impact on their operation.
Another (almost) positive case for password expiration is to limit damage where a single password has been compromised using some method that doesn't provide another avenue for continued access by the attacker. For instance, a user might have shared his password with another user against company policy. Forcing password expiration would ensure some limit on the time period over which the second user could share the account. But, password expiration is a pretty poor way to combat this. There is nothing preventing the user from sharing his password a second time or preventing the second user from doing damage before the password expires. The better approach is to hold users responsible for their own accounts. Users are less likely to share passwords if they know that their account activity is logged/tracked and that they are liable.
In other cases, there is even less of a benefit. If the attacker just wants to steal the data on your systems, the passwords are only relevant to the extent that they help him get to the data. Once he has the data, the passwords don’t matter. If he wants to use the passwords to break into other sites, he doesn’t care about the expiration policy at your site. If the attacker wants to deface your website or use your network to launch an attack against someone else, he probably doesn’t plan on having long-term access. If the attacker wants to maintain access to the system–and inexplicably has no other way of maintaining his access–he only needs to re-steal the passwords about once a month with a 60-day expiration window.
Even when we have a situation where expiration is potentially helpful, it may not help. About 41% of the time, an attacker can crack a password in just a few seconds if he knows a user's previous password. Storing password histories could make this even weaker.
So password expiration helps to limit the time frame in which an attacker can do damage after discovering a single password when the user is not one of the 41% whose passwords are easily predictable based on previous passwords and when the attacker also has no way to discover additional passwords, gain administrator rights, or otherwise secure further access to the system. That's a pretty narrow benefit.
Negative consequences
It gets worse. Frequent password expiration encourages users to pick weaker passwords and/or write them down*. That means we have to weigh any potential benefit from password expiration against the negative consequences of poorer password selection and management. If the user writes his password down and stores it in an insecure location, it is vulnerable to any local attacker (e.g. malicious insiders).
Using the NIST guidelines for password strength, every character of a password has at least one bit of entropy. If a user picks a password that is even one character shorter than he would have with a longer-term password, the time to crack that password is, at the minimum, cut in half. The NIST guidelines are pretty conservative. If users select passwords that are more random, then the consequence of weaker password selection due to expiration is greater. Removing a random character from a password makes that password dozens of times easier to crack. Reducing the character set is similar or worse. If a user picks passwords in some predictable sequence or pattern to cope with the burden of expiration, his password selection may be thousands or millions of times weaker.
Even without considering user frustration and support costs, expiration looks like a bad deal.
Note: I'm not opposed to people writing passwords down or storing them. I think that using a password manager or writing passwords down and storing them in a secure location is a positive thing if it helps people to choose better passwords and avoid reusing passwords. But, this requires some education. Most users who are writing passwords down because they find the expiration policy too onerous are likely to stick them in an unlocked drawer, under their keyboard, or on a post-it near their monitor; that's bad.