Since this one is lately being talked within my circle and I’ve been super irritated with the password expiration notification email, I’d like to rant about this policy for a bit.
Let’s start with that is this policy is all about. Password Expiration Policy is a policy that enforce your user to change the password after several days (usually 90, some auditors says 30). Sometimes some additional requirements are enforced too, such as requiring the password to at least has 1 lowercase, 1 uppercase, and 1 special characters. Some systems even go even further to not reuse last 10 passwords.
While this security strategy is not uncommon, but enforcing this actually do more harm than good (ref: 1, 2), especially for general users. If you’re working in some certain industry with stricter security requirements (i.e. Banks [usually ones that needs to follow PCI DSS certification requirements], Computer Security company, etc), well it still make sense, but for general users, it’s not (ref: Information Security Stackexchange discussion).
ISO27002:2013, guideline that company uses for ISO27001:2013 certification, actually mentions about the regular password rotation/expiration. But the latest standard, ISO27002:2022, actually discourage it. NIST also mentions this specifically:
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
— NIST SP800-63B, Section 5.1.1.
So, in sense, this is an old standard that in 2022 (at least by ISO Standards), is an old, expired practice, that general public needs to avoid. It does not add extra security, annoying to the end-user, and actually encourage user to add a little counter to their password that defeats the original policy.