It is and it’s actually not even recommended best practise to change passwords anymore precisely because of this. It hasn’t been considered best practise since I think around 2016-17 so businesses are really lagging.
If you get governmental contract work and pretty sure not resetting the passwords too often is actually now part of the security requirement but outside of that businesses just do what they think is best regardless of research.
For those who don’t see the reason why, forced password resets lead to users using predictable passwords like “password2025october”, “password2025november”, etc.
Yep. Back when I was being forced to reset my passwords every 90 days, I needed some way to remember the new password, so I developed a strategy like that. Whatever beverage is currently on my desk plus @ plus the time. Water@1257, for example. It’s so nice to have the option to randomly generate a strong password these days.
To be fair, simply forcing users to create a new password every X weeks is bad security policy.
It is and it’s actually not even recommended best practise to change passwords anymore precisely because of this. It hasn’t been considered best practise since I think around 2016-17 so businesses are really lagging.
If you get governmental contract work and pretty sure not resetting the passwords too often is actually now part of the security requirement but outside of that businesses just do what they think is best regardless of research.
deleted by creator
It’s actually even outright discouraged by NIST.
For those who don’t see the reason why, forced password resets lead to users using predictable passwords like “password2025october”, “password2025november”, etc.
Yep. Back when I was being forced to reset my passwords every 90 days, I needed some way to remember the new password, so I developed a strategy like that. Whatever beverage is currently on my desk plus @ plus the time. Water@1257, for example. It’s so nice to have the option to randomly generate a strong password these days.