Stop rotating passwords
For years, periodic password rotation was treated as dogma: “you must change your passwords every 30/60/90 days or everything will burn”. Today, based on empirical evidence, real attack telemetry, rigorous studies, and modern frameworks, the technical consensus is clear: forcing password rotation adds little and can sometimes reduce security.
Why rotating passwords doesn’t improve security (and can make it worse)
Attackers don’t “wait” for rotation
If a password is compromised, damage occurs within minutes or hours, not 89 days later. Attackers rarely wait months to use a password. Even when immediate damage isn’t apparent, the attacker can move laterally, secure access via other credentials or service accounts, or install persistent threats.
Examples of attacks:
- Phishing → immediate access
- Malware/ransomware → long-term access or instant exfiltration
- Credential stuffing → automated, mass access
Rotating passwords every X days doesn’t prevent any of this. It’s like changing the locks quarterly after someone has already broken in.
NIST SP 800-63B (2024, updated July 2025) explicitly states :
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Microsoft has also removed password expiration policies from its Windows security baseline , deeming them far less effective than multi-factor authentication (MFA) and breach monitoring.
Rotating leads to weaker passwords (“Password2025! syndrome")
Periodic changes assume users can remember strong new secrets without taking shortcuts, but human behavior is predictable. Forcing rotation leads to patterns like:
MyCompany2024!→MyCompany2025!SecurePass1→SecurePass2
Attackers automatically model this behavior perfectly.
Passwords may also end up written in insecure notes, physically or digitally, which is equally detrimental.
In short, forced password changes often inject low-entropy garbage into the system instead of real security, adding minimal effort for attackers while giving a false sense of protection.
Increases operational risk
Frequent password changes generate practical problems. Reset tickets spike, consuming time and resources and encouraging unsafe shortcuts: insecure notes, password reuse across systems, etc. This increases the likelihood of leaked or exploited credentials.
The friction also leads employees to bypass procedures—partial changes, weak alternatives—creating persistent risks. The reality is that most serious security incidents aren’t about cryptography or password strength, but how humans and operational processes handle passwords.
Ineffective against real-world attacks
Looking at modern attacks, password rotation is largely irrelevant.
| Attack | Rotation Helps? | Why Not |
|---|---|---|
| Phishing | ❌ No | Users voluntarily give credentials, granting immediate access. |
| Malware / Keylogger | ❌ No | Every new password gets captured again. |
| Credential stuffing | ❌ No | The issue is credential reuse. |
| Pass-the-hash | ❌ No | The attacker uses authentication hashes, not plaintext passwords. |
| Token theft | ❌ No | The session is already compromised; changing passwords may not block access. |
| Insider | ❌ No | If the threat is internal, rotation adds nothing. |
In practice, rotation only helps against extremely slow offline attacks, where an attacker tries to crack a hash over months without prior access—a rare and marginal scenario. Today’s attacks are fast, automated, and immediate, making periodic rotation always too little, too late.
So… what should we do instead of rotating passwords?
The answer isn’t a single technology, but a shift in approach: move from ritualistic controls to mechanisms that reduce human error and prevent real attacks. Instead of arbitrary rotations, strengthen identity, reduce reliance on reusable secrets, detect compromises early, and respond based on risk. Effective controls include:
Long, unique, and stable passwords
Shift from short, complex, rotated passwords to long, unique passwords or passphrases that don’t require arbitrary expiration.
Recommendations from NIST, ENISA, and Microsoft:
- Minimum 12–14 characters (16+ preferred)
- Support passphrases
- Avoid forcing arbitrary symbols
- Block known/leaked passwords
A long, unique, uncompromised passphrase doesn’t need calendar-based rotation—it only changes when there’s evidence of exposure.
Multifactor Authentication (MFA), but not just any
The use of strong MFA is today the single most impactful measure against credential-based attacks, but only if implemented correctly. Simply having MFA to check a compliance box is not enough: not all MFA provides the same level of protection. Weaker mechanisms, such as SMS, are exposed to SIM swap attacks, structural protocol vulnerabilities, and real-time phishing; even some reusable OTP schemes without a strong binding to the device or session can be intercepted or replayed by malware. In these cases, the second factor exists, but its ability to stop a determined attacker is limited.
Well-implemented MFA drastically increases the cost of an attack. Solutions like TOTP via apps, push notifications with number matching, user- or device-bound certificates, and especially FIDO2 hardware keys significantly reduce the effectiveness of phishing and credential stuffing.
The highest level is achieved with phishing-resistant MFA, such as FIDO2/WebAuthn, passkeys, or smart cards, where there is no reusable secret that a user could accidentally give away, and where authentication is cryptographically bound to the legitimate origin of the service.
Microsoft has demonstrated that MFA blocks over 99% of credential-based attacks. In this context, periodic password rotation proves to be a low-impact control that does not prevent real attacks and persists only out of inertia.
In summary:
Weak:
- SMS
- Reusable OTP without binding
Good:
- TOTP (apps)
- Push notifications with number matching
- Certificates
- Hardware keys (FIDO2)
Excellent (phishing-resistant MFA):
- FIDO2 / WebAuthn
- Passkeys
- Smart Cards
Modern Authentication: Passwordless
The future and present of authentication is not about building better passwords, but eliminating the password as a risk vector, which is what we call passwordless.
Instead of relying on secrets that can be stolen, reused, or guessed, cryptographic mechanisms are used that are uniquely tied to the user and the device. Today, there are several mature implementations of this idea: FIDO2-based passkeys combined with local biometrics, device-issued certificates, smart cards or hardware keys like YubiKeys, and solutions integrated into corporate environments such as Windows Hello for Business.
These mechanisms offer several advantages: there are no reusable secrets, they are not vulnerable to attacks like phishing or credential stuffing, and there is no rotation (with all the friction that entails for users and administrators).
Implementing passwordless authentication eliminates entire classes of attacks, not just makes them a bit harder.
Compromise detection and reactive rotation
Calendar-based rotation is useless; but event-based rotation is effective.
Events that justify immediate rotation:
- Confirmed phishing
- Device malware
- Anomalous login
- Token theft
- Third-party breach
- Detected credential leak
Detection requires identity management (IAM) with telemetry, UEBA , conditional access, and real-time alerts. This enables secure, signal-driven identity management.
Zero Trust, Adaptive Controls
We can talk a lot about the Zero Trust model, which is very interesting and a robust way to protect our systems, but in this article, I want to focus on one of its pillars: identity. This model redefines security around the premise that you should never blindly trust an identity, even if it has been correctly authenticated. In this approach, identity becomes one of several trust indicators, evaluated in real time based on multiple factors: who the user is, which device they are using, from what location they are trying to access, the associated risk level, the operation context, and the historical behavior of that identity. Each access attempt is dynamically analyzed and a decision is made on what measures to apply, creating an adaptive system that responds to risk rather than applying static rules.
By evaluating user, device, location, risk, context, and behavior, decisions are made tailored to the situation, such as: applying MFA only if there is risk, blocking a device if it is out of compliance with security policies (e.g., outdated or compromised), re-authentication when the context changes, or step-up authentication for sensitive operations, among other possibilities.
The password is not the main barrier; it is just another signal combined with other factors to assess the legitimacy of access. This dramatically reduces exposure to attacks based on compromised credentials, which, together with securing the other pillars of Zero Trust (in addition to Identity: Device, Network, Application, and Data), provides a truly robust security posture.
And in PAM? That’s where we do rotate, but it must be done right
There is an important exception to what was mentioned above: in the context of Privileged Access Management (PAM), credential rotation does make sense, but it must be applied in a strictly controlled and automated way, because here we are dealing with privileged accounts, not regular human users. In these cases, secrets—whether passwords, API keys, or certificates—are rotated automatically, frequently, and without administrators or human users knowing them. This prevents accidental or malicious exposure of critical credentials and ensures that privileged access does not depend on human memory or behavior.
A well-implemented PAM system includes several key practices: a centralized vault to store and manage secrets, post-use credential rotation so that each session generates a new secret, check-in/check-out processes to control who accesses what and when (ideally including verification/approval workflows), session recording for auditing actions, and Just-In-Time (JIT) access to grant privileges only for the necessary time.
This does not contradict the above: it works in parallel with human user identity management, which should rely on controls providing a strong identity, while machines or privileged accounts operate with ephemeral secrets, minimizing the specific risks of these accounts.
In summary, periodic password rotation is no longer an effective measure: it does not stop modern attacks, creates weak passwords due to human behavior, generates unnecessary operational load, and provides a false sense of security. Strategies that truly enhance protection are those that address real risk: using long, unique passphrases, implementing strong, phishing-resistant MFA, moving toward passwordless authentication, monitoring and detecting compromises in real time, applying credential rotation only when there is evidence of exposure, adopting a Zero Trust approach, and properly managing privileged access through a solid PAM platform. If your policy is still focused on changing passwords on a calendar, you are not protecting your organization—just maintaining a ritual that reassures but offers no real security.