Password Security at Work: What IT Doesn't Tell You

⏱ 5 min read · PasswordUtils

Corporate password policies are designed by security teams trying to balance security requirements with the practical needs of employees who aren't primarily thinking about security in their daily work. The result is a set of policies that often create security problems while appearing to solve them — and employees who work around the policies in ways that undermine the goal entirely.

The Forced Rotation Problem

The policy of forcing password changes every 90 days seems sensible — it limits the window of exposure if a credential is compromised. NIST guidance has shifted against mandatory rotation as of 2017, for a data-backed reason: forced rotation causes predictable behavior. Users change "CorpPassword2023!" to "CorpPassword2024!" in March. The new password is as guessable as the previous one, and the rotation has accomplished nothing except the effort of the change.

The NIST SP 800-63B guidelines, which inform best practices for most compliance frameworks, explicitly recommend against arbitrary periodic password resets. They create burden for users and security teams while demonstrating no measurable improvement in actual security outcomes.

Complexity Requirements and Their Unexpected Effects

Requiring uppercase, lowercase, number, and symbol causes a cascade of predictable patterns: capitalize the first letter, use lowercase for the rest, add a number at the end, add an exclamation mark. Security teams end up with a database of passwords that all follow the same pattern — which has much lower entropy than truly random passwords of the same character space.

What Actually Works

From a security perspective: long passwords (minimum 15 characters), uniqueness across systems, breach monitoring (deny passwords known to appear in breach databases), and 2FA — specifically authenticator apps or hardware keys for high-value accounts. These controls have evidence behind them. Character complexity and rotation schedules largely don't.