Our Blog


Password FAQs

Customers ask us about passwords and we thought it would be helpful to put together a Frequently Asked Questions document to address some of the more common ones.

Q1. How often should we force users to rotate their passwords?

A1. It used to be that ‘security best practice’ dictated that users should be forced to rotate their passwords every 90 days. A significant body of research has shown this is actually causing more problems than it solves. The National Institute of Standards and Technology (NIST) is considered authoritative on cybersecurity topics and has the following to say about password rotation:

NIST Special Publication 800-63Bsection on Memorized Secret Verifiers includes,“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Further explanation of this reasoning is presented in the Frequently Asked Questions:

  • Question Q-B05 asks: “Is password expiration no longer recommended?”Answer A-B05: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old, memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”
  • Q2. What is the recommendation for password length / strength?A2.Password length is king, composition rules (e.g. lower case, upper case, special characters, etc.) are not as helpful as we once thought. Length should be dictated by the desired level of security as appropriate to your organization, but 15 characters is considered generally acceptable assuming other factors (non-dictionary, no sequential characters, no key words (like usernames, service names, etc.)

CTO / Principal Engineer


David Hyde-Volpe

CTO / Principal Engineer




Cyber Risk Reduction

Request A Quote

request A consultation

Request A Quote


Business Operations Manager
Certified: GSEC, CompTIA A+
Education: BA, College of William and Mary
Areas of Focus: Project Management, Accounting, Logistics


CTO / Principal Engineer

Certified: GCIH, GSEC, GMON

Education: BS – Chemistry, Clemson University, Completed PhD coursework in Quantum Theoretical Chemistry – Georgia Institute of Technology, Completed PhD coursework in Statistical Mechanical Theoretical Chemistry – Clemson University.

Areas of Focus: Secure Coding, statistical modeling, penetration testing, security architecture


CEO / Principal Engineer
Certified: CISSP, GCIH, PMP, CRISC, CISA, CISM, CCSK; previous certifications include CCNP, CCSP, CCVP, CCDP
Education: University of MD. LaSalle University (BS/MS – Information Systems)
Areas of Focus: BC/DR, Quantitative Risk programs and analysis, 1/CISO and 1/CIO functions, security strategy and architecture

Subscribe to Vizius' newsletter
and access our FREE

Ramsomware Vaccine

Free Impact Assessment