Is it just me or does it seem like 90 days goes by so quickly? What is my measurement of time you ask? It’s the dreaded email from IT telling me it’s time to change my password. I always think to myself, ‘but I JUST changed it’ and that’s why I am then left speechless that another 90 days has passed. If you’re like me, you keep it relatively the same but make a small modification here and there (unofficially). Or, if you aren’t like me, you make the most basic password relevant to your company.


Let’s break down the consequences of bad passwords, why 90 days became a best practice, why some agencies are saying this is an ancient best practice and what you should do instead.

When you go back in time and look at many of the high-profile breaches you can almost always pinpoint the common denominator: weak or compromised password. Since the two appear to be mutually exclusive, it’s safe to say that with this level of compromise following close behind can come ransomware attacks, supply chain attacks, and much more.


The concept behind forced password expiration derives from the common sense of, ‘if your credentials are always changing, it’s harder for an attacker to hack.’ For example, a hacker might get their hands on a list of leaked passwords. However, if the list is three months old, and you’ve since changed your password, their information will be out of date…rendering you safe from that attempt. Other infamous tactics in the industry most well-known are Password Spraying and Brute-Force attacks. A quick 101- password spraying is commonly used to attempt to access a larger number of accounts as brute-force attacks are typically to gain unauthorized access to a single account. It’s been a hot minute since I took Professor Messer’s Sec + course… so, don’t yell at me. If you want more information on this I would highly recommend looking into Password Hashing, which is most likely what your company does to store its passwords.


In addition to obvious inconvenience of having to change your password every 90 days, common passwords are easy to memorize and more likely simple for a hacker to figure out. Or as I mentioned earlier, if it’s not super simple, it’s being changed to only a slightly different version of what it was before. My friends over at NIST (National Institute of Standards and Technology) say that this practice provides a false sense of security. NIST SP 800-63 provides requirements, recommendations and guidance for users to take into consideration.  Some food for thought, according to Gartner Group, between 30% and 50% of all IT help desk tickets are for password resets. Don’t our IT folks have better things to do then to constantly help us reset our passwords? Forrester Research estimates that the labor cost of a single password reset is $70. If we multiplied that percentage by that dollar amount, for every 90 days… woof.


The experts recommend you protect yourself with a strong unique password. Make it difficult (near impossible) for hackers to hack.

  1. Diversify the characters, numbers, letters, capitalization.
  2. Don’t use common passwords, 123
  3. Use passphrases
  4. Make them lengthy (NIST recommends minimum 8 characters, maximum 64 characters)
  5. Layer on Multi-Factor Authentication
  6. Enable a Single Sign-On option

I would like to make a plug (as a former social worker) to please reach out to the older generation folks in your life. We all hear stories about how Grandma gave her credit card information to someone on the phone or are clicking links in spam emails because they thought it was from you. Reach out to a loved one today, help them make smarter cyber decisions, including passwords. If they are old enough to play on the computer, they are old enough to be hacked.

Related News

NJ has over 10 years inside the DoD working for various organizations and cleared defense contractors. With an ear to the ground on all things OPSEC, cyber, machine learning & mental health, she is an untapped keg of open source information.