Why are there recommendations to change passwords with certain intervals?

If I have a good password, e.g. a long wrongspelled odd sentence with a couple of special characters thrown in, why is the security compromised if I keep this password year after year?

To my knowledge there are two ways of getting trouble:

1) Brute force. Are there really such stupid systems still around that an attacker can try an enormous amount of passwords without any reaction from the attacked system? An easy protection is of course to double the response time for each try.

2) An attacker gets hold of the password file and uses precalculated hashes to find a match in the password file.

None of these methods should work with a secure password regardless of how long it's been around so the question remains, why should I change?

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 71
  • 4

4 Answers4


There are recommendations to change passwords regularly mostly out of mindless repetition of a poorly understood practice from much older times in a different context.

Initially, passwords were something for the military; every single fort or camp used a "password" that soldiers had to know in order to enter the camp. We have indications that such a system was generalized in the Roman army, more than 2000 years ago.

Since such a password was, by construction, known to several people (at least the guards at the camp entrance, and every soldier who had business outside of the camp, e.g. to go fetch wood or water), and also uttered regularly and thus possible prey to spies with good ears, it was assumed that such a password would not remain secret for long. In fact, one could rationally expect that at any time, some enemies would know the passwords. The passwords were just a mitigation feature meant to delay covert entrance by enemies, rather than a reliable way to block them. The effectiveness of a given password steadily dropped over time, within a few hours, and thus had to be renewed daily.

Then the context changed. Nowadays, you use your password to authenticate yourself on a computer. There still are enemies, and they still want to learn your password. However, a very important part of the situation has changed a lot: you are, by construction, the only person who knows your own password. This is the normal, expected situation. On average, there is no leak at all. Your password is not shared. Therefore, the effectiveness of your password, which really is its secrecy, does not decrease over time -- it may drop to zero if the attacker succeeds at learning it, but as long as this does not happen, the password is as good as new.

Another context property which changed a lot is what attackers do when they learn a user's password. In the old Roman camp setup, the attacker would enter the camp, roam about it to try to gather intelligence (e.g. by listening around the centurion's tent), and possibly indulge in some casual sabotage, such as setting fire to supplies. This takes time. In a whole night, a spy can do some substantial damage, which is why there were extra mitigation features (other sentinels, rules against loitering within the camp, curfew, and so on). The regular password renewal forces the attacker to reacquire the new password while he tries to spread havoc. In our modern computer world, things don't go that way. The attacker will plunder your files and accounts, read and send emails, and generally enact his mischiefs within a few seconds because all of this can be automated to a great extent.

Forcing frequent user password renewal is a common practice of sysadmins, but it is misguided. Forcing your users to change their passwords every 42 days (that's the default value in Windows / Active Directory) makes sense only if we assume that the two following properties hold:

  • On average, at any given time, a non-negligible proportion of user passwords are known to evil outsiders.
  • Attackers loiter in the systems for weeks, and forcing a password renewal is a substantial hindrance to their nefarious schemes.

In reality, neither property holds. The forced password renewal, thus, does not yield its alleged benefits.

On the other hand, forced password renewal weakens security:

  • Users must generate and remember new passwords, which is harder, and promotes behaviours which are detrimental to security, such as writing the passwords down on pieces of paper, or sharing the passwords with colleagues.
  • The rate of "forgotten passwords" will be higher, increasing the workload of help desks. These, in turn, will react by lowering their identification standards, making them more vulnerable to social engineering.
  • Users will not like it, and they will be more inclined to see the sysadmin as a control freak, to be avoided or circumvented, rather than a helpful friend whose warnings should be heeded. Most of practical security relies on voluntary cooperation from the user base, and any unexplainable constraint on their daily work will severely damage their willfulness to cooperate.

To sum up, there are recommendations about password change out of misguided tradition. It is one of the myths which float around in the field of IT security, because sysadmins are people, and like all their other fellow humans they prefer to apply so-called "best practices" rather than making the effort to sit down and think.

The problem is inflated by how innovation is rewarded: in the field of security, innovation is tracked down, pursued, cornered and ignominiously slaughtered. If a sysadmin does "what everybody else does" and a problem occurs nonetheless, then he will not be blamed. However, if a sysadmin does a smart but novel thing, then he cannot expect any thanks; in fact, if an attack succeeds despite the novel system, the innovator will become the scape goat for the whole business.

You can read some other opinions on this subject in this past question.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thanks for an elaborate and interesting view on this issue. It is along the lines I was thinking. I will keep my misspelled 20+ sentence, which is probably even safer due to not being in English. – Bengt62 Jan 19 '14 at 19:10
  • Out of all the attacks I've seen, exactly none have been thwarted by enforced password changing. On the other hand, we have experienced actual losses due to some mindless drone who clicked the "enforce password changes every 90 days", because an automated system broke 91 days after he checked that box. On the whole, enforcing password changes for individual users increases risk without reducing any other risks, and is a practice that should be discontinued. – John Deters Jan 19 '14 at 20:00
  • There's one scenario where property #2 does hold: when the attacker is using your WiFi to get free Internet access. If you're in the habit of giving your WiFi password out to your friends, property #1 may also hold, and you should consider changing your password from time to time. – Mark Jan 19 '14 at 23:55

Sometimes an attacker who knows a password will not take over the account. Because changing it would make you notice that something is wrong. Instead the attacker will simply use your account, along with you. As long as you don't change it, the attacker will be able to continue this.

If you change it once in a while, the attacker will be locked out. At least for some time. This is also why it's important to change it to something completely different. (Instead of changing from "MyPassword42" to "MyPassword43".)

Whether you should change it often or not depends on how important the system is.


Why are there recommendations to change passwords with certain intervals?

One of the reason would be if you type the password where people are looking over your shoulder.

E.g. at work, where you log in while a coworker is standing next to you. You can (and should) ask them to look away while you type a password, but this is often perceived as annoying.

Regularly changing your password to something else in an unpredictable way mitigates this problem. The real solution ofc. is still not to enter any password as long as anyone else can see your keyboard.

Another reason is to match company rules. Sometimes these make sense, sometimes the rules are broken. E.g. I almost guarantee that the result from forced weekly passwords changes will be very predictable passwords or passwords written down on notes. However with a proper period it can be quite useful. E.g. once per year.

(And I am now tempted to task if my last work place changed the network admin password since I left there. Which was over a year ago. If not there are several people who no longer work at that place who could wipe the entire work setup, or could copy sales data, or worse subtly change it. Which is a big reason why password changes can be useful in some cases, even if only as a backup to proper instructions (like A leaves. Change all password which 'A' knew).).

  • 380
  • 2
  • 10
  • Thanks. My particular question came out of my private Lastpass password so as long as there is no keylogger and Lastpass can be trusted I should be safe. – Bengt62 Jan 19 '14 at 19:15
  • If someone sees and manages to remember the password you typed on the keyboard, and actually wants to do some damage, he probably won't wait for months. – Babken Vardanyan Jun 22 '14 at 20:30

This is a bit vague, but after a certain period of time, you're bound to use a password for an account on a public computer. That public computer could have keyloggers or any sort of malware. Thus you should change passwords some time after using such a computer.

  • 101
  • 2