[varenc]

From this doc: https://pages.nist.gov/800-63-3/sp800-63b.html

There’s also this great quote:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

There’s other great stuff in there as well like that you should allow users to “paste” passwords and potential passwords should be checked against a list of known bad ones.

[Bilal_io]

Expiring passwords are the bane of my existence. My current job does that. It was originally a requirement by Microsoft and they've been recommending against it, but it catches up slowly.

[II2II]

Expiring passwords are the bane of my existence when the period is short. I can live with changing a password once a year, but every three months is only encouraging me to pick weak passwords.

Why can I accept it? I constantly see colleagues sharing passwords and constantly have to say "please don't" when they try to share their password with me. While forcing people to change their passwords doesn't eliminate the underlying problem, it does limit the scope of the damage.

[AussieWog93]

My old man's work used to make them change their passwords once a month.

For the next 10 years, his password was a particular insulting phrase directed at the IT guys, followed by a number that would increment each time he had to change it. Got into the hundreds before he left the company.

[Thiez]

I had a coworker that would type in something random as his new password, then immediately fail to login three times in a row so his account would get locked. To fix this the sysadmin would reset the password, and allow you to choose a new password... and on the no-repeated-passwords policy did not apply to the magical reset dialog. So he would then reset it to his old password.

[AshamedCaptain]

I was doing the same at one point, albeit it only lasted 5 years before I changed employers. Didnt even had to rotate the numbers, I could always come up with new and colorful insults for the nameless IT group. Which ironically I remember perfectly.

[maw]

I'm reasonably certain that I'm not your father but I used to do that too - although I don't think I made it into the hundreds.

[AstralStorm]

Changing the password opens it to compromise when it's being changed. Capture of that account is possible and easy at that point.

It also interferes with password managers and secure keys. Opens a phishing vector. Generally I could enumerate how bad it is and run out of ink here. (And it's a screen.)

[eastbound]

My former company required not to use one of the last 10 passwords. So every 3 months, employees did the 11-password dance, setting the password back to the original one.

[midasuni]

My company (5b a year annual revenue so not small) stops you from changing your password within 2 days of changing it previously to stop that.

Even the head of information security tried changing this and failed to get the change through.

[hyperman1]

That's the point where people simply append the month number.

[Aeolun]

It’s the absolute best way to make sure all your passwords are insecure garbage.