Do the “password shuffle” every 90 days?

Has this decades-old practice done more harm than good?

For years, mandatory password rotation was a compliance checkbox, a well-intentioned rule from an era before we had robust breach detection. The theory was sound: limit the lifespan of a stolen credential.

The reality, as we all know, is very different. Predictable human behavior kicks in. We don’t get stronger passwords; we get predictable, incremental ones. We get password fatigue. We get the dreaded sticky note on the monitor. We punish our entire user base for a problem they didn’t create, all while creating a false sense of security.

The truth is, mandatory rotation treats a symptom, not the root cause.

A modern security program must shift its focus from credential age to credential strength and compromise detection. Our first and most effective control is, without question, MFA. It’s the single best defense against a stolen password. Beyond that, our resources are better spent on breach detection—forcing a reset for only the credentials confirmed as compromised (e.g., via Have I Been Pwned), rather than punishing the entire user base.

This risk-based approach, combined with encouraging password managers and championing long, memorable passphrases (which are far stronger than short, complex ones), is the new priority.

This isn’t just my opinion. This is the guidance from NIST 800-63B, which has for years advised moving away from arbitrary, periodic password resets.

It’s time to stop security rituals that frustrate users and focus on modern controls that actually mitigate risk.

Are you still enforcing 90-day rotations, or have you made the shift? I’m curious to hear what’s working for your teams.

#Cybersecurity #CISO #PasswordSecurity #MFA #ZeroTrust #NIST #RiskManagement