Definition
Password Rotation
Password rotation is the practice of requiring or suggesting a password change after a fixed time span. The goal is to reduce the lifetime of passwords and thereby lower the likelihood of successful brute-force or offline attacks.
Trade-offs
Reduced Exposure Window
A shorter password lifetime limits the window in which a compromised password remains valid.
Usability
Good passwords are hard to remember. When users are forced to change passwords regularly and do not use a password manager, they tend to choose weaker passwords or write them down (for example, on a post-it note), undermining security.
Guidelines
NIST Recommendation
Current NIST guidelines advise against the enforcement of periodic password rotation. Instead, they recommend changing passwords only when there is evidence of compromise.