Does password expiry provide any benefit at all (when using randomly generated passwords)?

90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.

If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way. It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.

In the same time, this policy pushes the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy mandating to update the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 starting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.


Yes, there is still a benefit to changing passwords every 90 days. Forcing regular changes provides some protection against the unauthorized use of passwords or limits the duration of unauthorized use. There are better alternatives for achieving these same goals (e.g. detecting abnormal use, risk-based authentication, etc.), but you didn't ask to compare password expiration to these alternatives.

Using strong, randomly generated passwords does reduce the risk of password abuse by making it unlikely the associated accounts will be breached due to password guessing, credential stuffing, or password cracking attacks. However, there still remain other avenues for an attacker to obtain user passwords, including malware, authentication server compromise, password manager flaws, or the user purposefully sharing their password with others. The strength and uniqueness of the password doesn't protect against these attacks. A. Hersean says to focus on fixing these leaks, which is good advice, but it is easier said than done.

If an attacker does compromise a user password they will have limited time to use that password if an expiration policy is in place. During that window of opportunity they may be able to complete any malicious actions they intend, or they might be able to escalate their attack and create an ongoing backdoor for access that does not rely on the original user's password. These situations don't really benefit from password expiration. But there are other situations where an attacker isn't able to escalate their attack and needs continued use of the password to maintain access. These are the situations where password expiration helps.

What is hard to quantify is how rare these situations are and in how many of those situations would password expiration either prevent or reduce the duration of attacks. So it becomes a rough cost-benefit analysis where you'd need to understand the costs of maintaining a password expiration policy. If you can completely automate regular password updates (some password managers might make this possible) and it is transparent to users then it seems like it provides value, even if the benefits are rare. If you can't automate password changes then it might not provide enough benefit to justify the time costs to users. In this case I would focus on alternatives to password expiration that can help detect and prevent password compromise.

Additionally, if you can completely automate regular password changes you should consider enforcing changes that take place more frequently than once every 90 days. This should increase the benefits of expiration by further reducing the risk of password compromises.