The security of modern password expiration (2010)
A 2010 study by researchers including Cormac Herley analyzes the security benefits of mandatory password expiration policies and finds limited evidence that they effectively reduce risk, suggesting that the costs and usability burdens often outweigh the security gains.
Background
This is a 2010 research paper from the ACM conference on Computer and Communications Security that empirically studied the password-changing behavior of 25,000 students at the University of Cambridge. The authors, researchers at Microsoft Research and Cambridge, examined how users respond to mandatory password expiration policies — the common security practice of forcing users to create a new password every 30, 60, or 90 days. They found that users tend to make predictable, weak transformations to their old passwords (e.g., appending a digit, incrementing a number, or changing one character), meaning that an attacker who has compromised the old password can easily guess the new one. The paper was influential in challenging the conventional wisdom that periodic password rotation improves security, and it helped lay the groundwork for later NIST guidelines that deprecated mandatory expiration policies.