Why You Should Stop Rotating Passwords (Unless You're Breached)
Forced password rotation increases risk by encouraging weak, predictable patterns. Here is what the research shows and what NIST recommends instead.
Where the rotation requirement came from
Mandatory password rotation became IT policy orthodoxy in the 1980s and 1990s, based on the theory that even if a password was compromised, the attacker would lose access at the next rotation. This made sense when passwords were often stored in plaintext and offline cracking wasn't fast enough to defeat long complex passwords.
In 2025, neither assumption holds.
What the research actually shows
A landmark 2010 study from Carnegie Mellon University found that users who were forced to change passwords regularly converged on predictable patterns: incrementing a number, changing a letter to a symbol variant, appending the current month. Forced rotation didn't produce better passwords — it produced worse ones with a veneer of change.
Microsoft's Security team published similar findings in 2019, announcing they were removing periodic password expiration from their baseline security recommendations. NIST followed with explicit guidance against mandatory rotation in SP 800-63B. The UK's NCSC (National Cyber Security Centre) made the same recommendation. The consensus among security standards bodies is now clear.
The current NIST position
NIST SP 800-63B Section 5.1.1.2 states: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
The operative word is "evidence." Don't rotate on a calendar — rotate when you know or strongly suspect a breach.
When to actually change your password
There are four legitimate reasons to change a password: the site was breached and your credentials may have been exposed; you shared the password with someone and that access should be revoked; you typed the password on an untrusted device; or you suspect your device has malware.
Outside of these cases, changing a strong unique password that hasn't been compromised provides no security benefit and actively encourages the patterns that make passwords weaker.