The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember. Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.
To make matters worse, most password policies insist that we have to keep changing them. And when forced to change one, the chances are that the new password will be similar to the old one.
Attackers can exploit this weakness.
The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.The National Cyber Security Centre
Good to see a sensible recommendation coming from an important organization such as the UK’s authority on cyber security. Managing multiple passwords and updating them every one to three months, depending on policy, is a chore that I would happily live without. I usually end up setting the same password for multiple accounts because it’s easier to remember – but this has the downside that each account password expires at a different time and so they quickly become ‘out-of-sync’. Sadly, I don’t think corporate IT departments will implement it any time soon.