Why does my organization make us change our password every 90 days?

1067820 pts.
The company I work for makes us change my password every 90 days. I know this is commonplace for many organizations but I'm trying to find out if there is a specific vulnerability that it's designed to counter. Or is it just good practice to be done?

I know it's a general security question but it's better to be safe than sorry.

Answer Wiki

Thanks. We'll let you know when a new response is added.

All of the above.  Any and all accounts in any company have access to data making you vulnerable to having data stolen from you through your account.  Once someone has access to your account then they can see that information.  If the company has a data breech, (and a lot of them have), they will start looking for user accounts that have accessed that data and how it was accessed.  That encrypted password is the key to that data.  Poor passwords and poor password control account for a huge amount data breeches that occur both from inside the company, and from the outside. 

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Kevin Beaver
    I've found that, by and large, password changes that are required this often are based on old-school thinking about how long it takes to crack a password. We have so many other security issues impacting us today that forcing users to change their passwords merely adds to the network complexity that ends up creating more business risk.

    Why not require users to create long/strong passphrases and then only change them every year or so, or if a breach is suspected??

    You see, though, there's a strong political factor at play here. Users don't want to have to create and remember long passwords. And management doesn't want to hear about it, therefore IT doesn't press the issue. Thus the heads-in-sand cycle of "if we can't make them (or teach them to) use resilient passphrases, then we'll just require password changes every 30-90 days." continues...

    It's backwards and it's bad for business.

    Password change requirements should be based on risk such as known compromises rather than unproven "best practices".

    We keep doing addressing this issue, yet nothing changes. Passwords are still one of the greatest security risks we face - we see it in the data breach reports year after year after year.
    25,760 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: