📅 Password Expiry Policies in 2026: Why NIST Dropped Forced Resets

Password Expiry Policies in 2026: Why NIST Dropped Forced Resets

For decades, IT departments forced users to change their passwords every 90 days. The rationale seemed obvious: if someone gets your password, they only have 90 days to use it before it expires. But in 2025, NIST officially reversed this guidance in SP 800-63B Rev 4, and organisations across the public and private sectors are now following suit.

The Research That Changed Everything

Multiple studies informed the NIST reversal. A 2024 analysis by the NCSC found that 78% of users increment their password when forced to change (e.g., Summer2026! becomes Autumn2026!), which is trivial for modern hash-cracking tools to predict. Carnegie Mellon research published in 2024 showed that forced expiry reduced the effective security of password databases by making brute-force dictionary attacks more effective against sequentially related passwords.

What NIST SP 800-63B Rev 4 Actually Says

The July 2025 revision of NIST SP 800-63B is explicit: verifiers SHALL NOT require users to change passwords on a predetermined schedule. The only acceptable reason for a forced reset is a confirmed compromise event — a known breach of the service, observed credential stuffing traffic, or direct evidence that a specific account's credentials were stolen.

The standard also mandates a minimum 15-character password length, prohibits composition rules (uppercase + lowercase + digit + special), and recommends routine password breach checking against databases like Have I Been Pwned.

The Cost of Unnecessary Resets

Forced password resets carry a measurable operational cost. Gartner estimated in 2025 that each help desk password reset call costs organisations between $25 and $45. For an organisation of 10,000 users with a quarterly reset policy, that's 40,000 password reset events per year. Even at a 10% help desk call rate, that's $100,000-$180,000 annually in password reset support costs alone.

Beyond financial costs, every forced reset creates a window of user friction where employees may resort to writing passwords on sticky notes, storing them in unencrypted documents, or creating predictably related variants that weaken overall security posture.

Implementing a Modern Password Policy

Replace mandatory expiry with these five controls:

• Minimum 15-character length — length provides exponentially more entropy than complexity
• Breach detection — check every password against known breach databases at creation and periodically
• Multi-factor authentication — the single most effective control against credential theft
• Anomaly detection — flag logins from unusual locations, devices, or times
• Conditional-only resets — only force changes on confirmed compromise evidence

When You Still Need Forced Resets

There are legitimate exceptions: after a known data breach affecting your organisation, when an employee leaves or changes roles, when credentials are found exposed, or when compliance frameworks like PCI-DSS v4.0 require it (though even PCI-DSS now recommends risk-based approaches). For routine operations, however, the evidence is clear: forced resets cause more problems than they solve.

FAQs

Does NIST still require password expiry?

No. NIST SP 800-63B Rev 4 (2025) removed the mandatory 90-day password expiry requirement entirely. The new guidance states that passwords should only be changed when there is evidence of compromise, not on a predetermined schedule.

When should I actually force a password change?

Only when you have specific evidence the password was compromised — a known data breach affecting the user's email, suspected credential theft, or after a security incident that may have exposed authentication data.

What password policy should I replace expiry with?

Replace expiry with: 15-character minimum, breach checking via HIBP or similar API, multi-factor authentication, and anomaly detection that flags unusual login patterns from new locations or devices.