Are Mandatory Password Updates Even Necessary?

Security experts have weighed in and found that requiring employees to regularly update their password doesn't do much.

Is your business employing outdated password policies? Security experts have weighed in on the value of mandatory password updates and found that they aren’t doing much to protect you or your business.

With data breaches becoming part of everyday life for businesses around the world, it’s safe to say that bolstering cybersecurity has become a priority for many. After all, a single breach can cost businesses, on average, around $10 million, which means that investing in security is good for your bottom line.

Still, there’s a lot of misinformation out there about what the best way to do that is, and we’re here to make sure you’ve got the right information when it comes to protecting your business.

Mandatory Password Updates Don’t Help

In July, Microsoft released password policy recommendations for users of Microsoft 365. Within the blog post on the company website, some choice words about mandatory password updates were said that might make you rethink your company’s policy:

“Password expiration requirements do more harm than good.”

The post goes on to explain that making employees change their passwords on a certain schedule doesn’t help because it makes users “select predictable passwords, composed of sequential words and numbers that are closely related to each other.” Hackers are decidedly adept at guessing easy-to-use passwords like “123456” — which remains the most popular password for the average user — so it’s better to encourage your team to come up with long, difficult-to-guess passwords and stick with them.

As for why these policies are still in place, the Washington Post interviewed an assortment of security experts to weigh in on the policy and why they think some companies are still employing this outdated ideology:

“I think people are worried, ‘Oh, if there’s a security breach, and I’m not doing all the things that other people are doing, I could get in trouble as a security administrator, and so if other people are doing it, therefore I should do it, too.’” – Lorrie Cranor, director of CyLab Security and Privacy Institute at Carnegie Mellon University

When You Should Change Your Password

Now, we’re not saying to never change your password obviously, but arbitrarily requiring employees to change their password on a timely basis is clearly not helping, so we’d recommend scrapping that policy if your business has it in place. Sure, there are times when you should change your password, but it won’t be on a set schedule.

The most important time to change your password is when your data has been compromised. Unfortunately, your average employee is likely not plugged into the dark web to know if their passwords have been compromised, so how will you know when to change it?

Fortunately, most password managers nowadays offer this service. The best ones will alert you when you have a compromised password, and will encourage you to change it, walking you through the steps to a more secure device.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Conor is the Lead Writer for For the last six years, he’s covered everything from tech news and product reviews to digital marketing trends and business tech innovations. He's written guest posts for the likes of Forbes, Chase, WeWork, and many others, covering tech trends, business resources, and everything in between. He's also participated in events for SXSW, Tech in Motion, and General Assembly, to name a few. He also cannot pronounce the word "colloquially" correctly. You can email Conor at
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals