Why You May Not Need Password Expiration

Written by Zach DeMeyer on June 28, 2019

Share This Article

Password expiration and the associated rotation of passwords have been a long-standing pillar of identity management in IT. But, with modern innovations, there are good reasons why you may not need password expiration.

Of course, we should be clear that this isn’t a blanket statement for all organizations. For some organizations, rotating passwords may be the right thing to do and even required by their auditors. But, there is also new research and guidelines that suggest that expiring passwords after a certain amount of time may not be as beneficial as once thought.

Why Rotate Passwords?

Centrally, the impetus behind password expiration is that some end users leverage the same passwords for a number of different places and resources, and even share passwords among themselves. Repeated and shared passwords are frequent problems in organizations, and if said passwords were to be compromised, the consequences could be dire indeed

The argument is that, by rotating the password, even if some other site has been compromised, it won’t compromise the organization. Password rotation also creates a disincentive to share passwords with other users because those passwords would soon expire. But, in today’s IT landscape, challenges to this traditional idea are cropping up. 

Password Rotation Today

With advancements in modern IT, more users are becoming savvy about protecting their passwords. The use of password managers has helped reduce the frequency of shared passwords or the same password being used in multiple places. Password managers can automatically generate complex passwords and store them so users don’t need to remember them or write them down where they can be compromised. 

And, perhaps one of the most critical advancements in protecting passwords has been the use of two- or multi-factor authentication (2FA or MFA, respectively) in many places. Even if a password has been compromised, the user would need to determine the second factor, often time-based or otherwise represented by physical means, to authenticate into the IT resource. This extra hurdle is a steep one for hackers, as Symantec has found that 85% of breaches could have been prevented using 2FA.

Password Rotation in Enterprises

The National Institute of Standards and Technology (NIST) and other major organizations such as Microsoft® have taken note and are changing their perspective on password rotation. NIST’s recent guidance no longer advocates for password rotation. Microsoft reportedly has eliminated password expiration/rotation on their internal accounts, and are moving to do so for all Windows® 10 accounts as well.

Whether or not you choose to pay heed to NIST is ultimately up to you. Like we said before, many organizations still require password expiration/rotation to comply with their own security protocols or compliance regulations. 

A Solution for Password Expiration/Rotation

The good news is whether you would like to rotate passwords regularly or not, the JumpCloud® Directory-as-a-Service® platform can centralize control over user access across your organization. With JumpCloud, IT admins can enable their users to use a single identity to access virtually all of their IT resources. From systems and networks to applications, infrastructure, and more, JumpCloud manages access to it all, regardless of location, protocol, platform, or provider.

JumpCloud’s password complexity configuration feature allows admins to control the level of complexity for their organization’s passwords, as well as if and when those passwords should expire/need to be rotated. So, no matter whether you need password expiration or not, you can still tightly control your users’ identities with JumpCloud.

Try JumpCloud for Free

Directory-as-a-Service is available absolutely free for the first ten users in any organization. You can sign up for JumpCloud and start leveraging the entire Directory-as-a-Service platform for free today. You can use your free ten users to either manage your entire SMB or sandbox your enterprise environment before you buy.

If you would like more information on password expiration and JumpCloud as a whole, please contact us. We would be happy to share with you.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter