We read it in the Government’s National Technical Authority for Information Assurance, from the United Kingdom, an institution that frequently publishes security-related issues in the digital world: It is not a good idea to force users to change passwords every 30, 60, or 90 days, as many do.
In the article, the CESG exposes the problem in a simple way: people do not have enough memory to be constantly remembering different and complex passwords, so they end up creating weaker, easier to guess passwords, when they have to be updated frequently. . On many occasions it has been verified that the passwords that are created are variations of the same, so it ends up being easy to discover the new one if you have any of the old ones.
Regular expiration of passwords as a security policy is not a recommendation by that institution. They have shown how the new password has often been used elsewhere, and attackers can also take advantage of that point, although there are other factors: generating a forced password ends up being easier to type, as well as to forget.
It is the conclusion after conducting a study on the long-term effect of this type of policy: passwords become weaker as time passes due to their high refresh rate.
What they recommend there is to invest in system monitoring tools that present users with information about the latest access attempt, for example, something already common in Google, Facebook and other Internet giants.