background image


Periodic Password Changes


For years, enterprises have relied on passwords to protect their assets from cybercriminals. However, passwords now constitute one of the biggest security threats to enterprise networks, systems, devices, and of course, data. In 2019, 42% of companies were victims of a data breach due to a password compromise. The situation has worsened in 2021, with 61% of enterprise breaches now involving stolen credentials. Now, password-related attacks are not only common, but they’re also very expensive, with incidents costing about $870,000 on average.

To protect enterprise assets and users, many security best practices advise periodic password changes. However, this age-old “conventional wisdom” is not recommended by the National Institute of Standards and Technology (NIST). Here’s why.

The Risks of Password-based Security

Generally, enterprise security policies require users to create long passwords and include a mix of letters, letters, numbers and special characters. Users are also required to create passwords that others cannot easily guess. So, names, birthdays, anniversaries, pets’ names, etc., are a strict no-no.

But today, this approach to password security is inadequate. Over the past few years, hackers have mined information about actual password breaches to assemble dictionaries containing millions of words. They then use these dictionaries and new cracking techniques to guess and steal passwords. By duplicating credentials, they can access additional accounts and expose even more data.

Another problem is that when users are forced to create complex passwords, they find them hard to remember. As a result, they write them down or store them where they can be seen or stolen. Ultimately, when passwords (or their corresponding hashes) are compromised, it’s almost impossible to restrict their unauthorized use.

The primary reason security professionals advise against periodic password changes is that when human beings change that often, they tend to conform to a pattern. That is why ethical hackers at Packetlabs see passwords like Summer2021, Fall2021, Spring2021.

The password concept is something that was invented in the 90s, and the premise of passwords is simply something complex that we have to memorize. Those two things don’t work well together. For all these reasons, forcing users to change their passwords regularly or implementing rigid policies about password length and complexity just don’t work. And that’s why NIST and even large enterprises like Microsoft do not recommend mandating periodic password changes.

The NIST Alternative to Periodic Password Changes

Instead of password expiration policies, NIST points to a better alternative: enforcing a password list. Also known as a password deny list, banned password list, or password dictionary, such a list contains password values known to be commonly used or compromised. Organizations can use this list to block weak, insecure and vulnerable passwords and their variants from being used by employees, and more importantly, from being hacked by cybercriminals.

The NIST recommends adding all the below to a banned password list:

  • Dictionary words

  • Repetitive characters (e.g. 999)

  • Sequential characters (e.g. 1234 or abcd)

  • Context-specific words (e.g. username)

  • Passwords from previous breaches

With password lists like Azure AD Password Protection, security teams can create a custom banned password list to block organization-specific weak terms that may lead to a compromise of their networks or systems.

The Advantages of Banned Password Lists

A banned password list takes the burden of password-based security away from individual users. This is important because regardless of how strong the firm’s password policies are (change passwords every 30 days, don’t repeat the last three passwords, etc.), human beings will always look for shortcuts for passwords. More often than not, they will:

  • Make only small/predictable changes to previous passwords to minimize hassle.

  • Reuse passwords as far as possible

  • Forget their new passwords, or worse, write them down

  • Share passwords with others

All these practices contribute to poor password hygiene, which makes the organization even more vulnerable to hackers. Frequent expirations and added complexity also annoy users and impact their productivity. They also put a strain on the helpdesk team.

Banned password lists eliminate all these challenges. So, instead of forcing users to frequently create long/complex passwords or make periodic password changes, NIST recommends that administrators block all weak or compromised passwords from the outset. With a tool like Azure AD Password Protection, security teams can proactively guard the organization against known risky passwords and minimize the chances of a password-based compromise or data breach.


Periodic password changes can have little or no positive impact on your organization’s cybersecurity. This is because most password-based attacks have more to do with bad passwords, shared passwords, or technology-based compromises like phishing attacks or malware and very little to do with password age. Strong security starts with good password hygiene. However, it’s virtually impossible to ensure this hygiene with every employee, every time. That’s why it makes more sense to keep out vulnerable passwords by creating a banned password list.

To learn more about the risks of password-based security, explore our other articles here, here and here. Contact Packetlabs if you’re looking for solutions to strengthen your organization’s security infrastructure with penetration testing, application security testing or managed security QA.

Sign up for our newsletter

Get the latest blog posts in your inbox biweekly!