We're all busy people. Business demands are constant, and information overload is a daily challenge. Most of us don't come to work to 'do security' - it's a supporting function. It's something we have to get through in order to get to our main task.
And this is fine. Most of us aren't hired to do security - we're hired to do jobs that help meet our employer's business goals.
But due to these competing demands and priorities, we have limited mental effort to spend on security. This is sometimes called The Compliance Budget and like any budget, once spent it's gone - we can't use it again elsewhere. As security professionals we should be mindful of this budget, avoid squandering it in places where it doesn’t buy real value, and not expect user effort to be able to compensate for other gaps in our defences.
Pouring user effort into managing and memorising difficult passwords is a common use of the compliance budget, and it's (mostly) a huge waste of this precious resource. Users generally find such policies impossible to comply with; they provide no particular defence against many common password attacks, and there is a real limit on how much protection user passwords can give to a system. Because most times, if your user passwords can be directly attacked, then you've got bigger problems.
For instance, if an attacker is able to get hold of your password hash file and run offline brute force attacks against it…you’ve got bigger problems.
If an attacker is able to attempt thousands of logins without prevention or detection, because you have no account lockout/throttling or monitoring in place...you've got bigger problems.
If an attacker compromises a user account, gains a foothold in the system and installs back-doors that give sustained and undetected access even after the password is changed…you’ve got bigger problems.
User passwords are only one of many ways in which we defend our systems. They can’t compensate for all vulnerabilities elsewhere, so we shouldn't rely on them further than is justified. Research shows that there is no correlation between the best-defended systems and those with the most demanding password policies. If anything, the opposite is true.
The same applies with password expiry. There are very few imaginable scenarios where regular password expiry would provide any real security protection, and regular password-changing makes no difference to the success of most attacks. But it does impose a heavy burden on users, causing corresponding harm to the organisation's overall security. Because of the innate attraction of the idea that a newer password must be a better password, and because we have been slow to realise the huge costs imposed by password expiry policies, we have hung on to them long past the time when we should have - well, expired them.
Organisations should stop regularly expiring user passwords for the sake of it and focus instead on more meaningful, effective protective measures. This includes minimising password use and ensuring that where they do remain necessary, they are used sensibly.