password reset

How Often Should Users Be Required to Reset Their Password?

Omer Aslim selfie
By: Omer Kaan Aslim
October 07, 2020
Does requiring users to reset their passwords every few months promote better security or does it reduce security?

Conventional Wisdom

According to the Center for Internet Security, users should be required to change their passwords every 60 days. Various security technical implementation guides from the U.S. The Defense Information Systems Agency says that users should be required to change their passwords every 60 days.
Password Reset
Why does this guidance exist? By changing a password every few months you will prevent someone who has already stolen a password from having constant access to the account. They will be forced to discover your new password after it has been changed. Another reason is that a hacker could potentially crack the hash of a weak password within a short period of time (perhaps a few months or less). By requiring password resets any passwords that were successfully cracked by a hacker become outdated.

New Guidance From the U.S. National Institute of Standards and Technology (NIST)

  • Passwords should be at least 8 characters long but users are encouraged to use much longer passwords.
  • Users should not be required to reset their passwords rather users should concentrate on using a long good quality password that is easy to remember but difficult to guess.
  • Passwords should not be too complicated otherwise users will not be able remember them. As a result using mixed cases, characters, and numbers isn’t paramount as users are often tempted to write them down.
  • With multi-factor authentication password resets are less important.
Password resets still play a role. You can mandate password resets when you detect suspicious activity on an account instead of every few months.

Which Method is Better?

The logic behind both password approaches is sound and neither method is wrong. The conventional method where users need to change their passwords every two months can create more work for your IT helpdesk because they will have to assist users with their passwords more often as users are more likely to forget their new passwords or to let their passwords expire. By not requiring password resets you can reduce the workload on your IT helpdesk. Overall the new method from NIST when coupled with multi-factor authentication makes managing passwords easier for both IT staff and end users. You can also go with a hybrid approach, perhaps requiring users to reset their passwords every six months or annually. It is really up to what works best for your company culture and your compliance requirements.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance