Why changing your password every 90 days Is outdated (and what to do instead)
Imagine this: You fire up your computer, ready to start your workday, only to be met with a login screen demanding you change your password again. And not just any password. It has to be something entirely new, packed with numbers, special characters, and at least eight characters long. Sound familiar? Many companies enforce a strict 90-day password reset rule, but is this actually necessary in 2025?
The short answer: No. While frequent password changes were once considered a cybersecurity best practice, modern research suggests they’re more of a hassle than a help.
Why companies require regular password resets
The reasoning behind mandatory password expiration is straightforward: If your login credentials constantly change, hackers have a harder time gaining access. For example, if a cybercriminal gets hold of a leaked password database, but your company enforces password changes every 90 days, your old password might already be obsolete.
Regular updates also protect against brute-force attacks, where hackers try countless password combinations until they find the right one. This includes dictionary attacks that target common passwords like “password123” or “letmein.” The idea is that by changing passwords frequently, you make it harder for attackers to crack them.
Why 90 days?
Some companies opt for a 30-day expiration policy, while others extend it to 180 days. But 90 days is the most common. The reason? It comes down to how passwords are stored and attacked.
Most modern systems use password hashing, which scrambles your password using a cryptographic hash function (CHF). When you log in, the system runs your password through the same hashing process and checks if the result matches what’s stored. Hackers trying to crack a hashed password need to guess the right input and run it through the same hashing function. A process that takes time.
Security experts once believed that forcing password changes every 90 days would give hackers too little time to brute-force a password before it was replaced. But with advancements in password security, this logic no longer holds up.
Why forced password changes no longer make sense
Mandatory password updates sound great in theory, but in practice, they create more problems than they solve. Here’s why:
1. People use weak, predictable passwords
Frequent password changes encourage bad habits. Instead of coming up with truly strong passwords, people take shortcuts, such as:
- Using obvious passwords like “Password123!”
- Making slight modifications to their previous password (e.g., changing “Winter2024!” to “Spring2024!”)
Hackers know this and can easily guess small variations of older passwords. As the National Institute of Standards and Technology (NIST) warns, changing passwords in predictable ways provides a false sense of security.
2. It leads to more password resets (and higher costs)
When people have to change their passwords every three months, they often forget them. Without a password manager, users either:
- Write passwords down (a huge security risk)
- Forget them and lock themselves out
- Call IT for help
Studies show that 20-50% of IT help desk calls are for password resets, costing businesses and corporates an estimated $70 per reset. That adds up quickly, making mandatory password changes a costly and inefficient security measure.
What you should do instead
Rather than forcing employees to change passwords on a schedule, a better approach is to encourage the use of strong, unique passwords and update them only when necessary. Here’s how:
- Use long, complex passwords – The longer your password, the harder it is to crack. Aim for at least 12-16 characters.
- Ditch common passwords – Avoid predictable choices like “123456,” “password,” or variations of your name and birthday.
- Use passphrases – Combine random, unrelated words like “banana-satellite-dog-house” for a password that’s both strong and easy to remember.
- Monitor for breaches – Use tools like email compromise checker to check if your credentials have been exposed in a data breach. If they have, change your password immediately.
- Use a password manager – A tool like Passwd generates and stores strong passwords for you, eliminating the need for frequent resets in your company.
The future of password security
Many companies still enforce outdated password policies, but change is coming. The best security strategy today is strong, unique passwords combined with multi-factor authentication (MFA) and not forcing people to change passwords every few months.
Until your employer ditches the 90-day rule, a password manager can make compliance painless. With Passwd, you can generate, store, and autofill secure passwords effortlessly so you never have to worry about remembering (or resetting) them again.
No stress. No forgotten passwords. Just better security.