Password Aging with Long Expiration

Draft Base

Structure: Simple

Description

The system enforces password changes, but the time allowed between changes is excessively long, weakening security.

Extended Description

Password aging, or forced password rotation, is a security policy that requires users to update their passwords after a set period, like every 30 or 90 days. When this expiration window is too long, it gives attackers significantly more time to crack passwords through brute-force or dictionary attacks before a user is forced to change them. While password rotation was once a standard recommendation, many security experts now consider it less effective against modern threats compared to strong, slow hashing algorithms and multi-factor authentication. Forcing frequent changes can also lead to user fatigue, resulting in weaker, predictable passwords. However, this practice often remains in place to meet specific compliance requirements, such as those found in the PCI DSS standard.

Common Consequences 1

Scope: Access Control

Impact: Gain Privileges or Assume Identity

As passwords age, the probability that they are compromised grows.

Potential Mitigations 5

Phase: Implementation

Previously, "password expiration" was widely advocated as a defense-in-depth approach to minimize the risk of weak passwords, and it has become a common practice. Password expiration requires a password to be changed within a fixed time window (such as every 90 days). However, this approach has significant limitations in the current threat landscape, and its utility has been reduced in light of the adoption of related protection mechanisms (such as password complexity and computational effort), along with the recognition that regular password changes often caused users to generate more predictable passwords. As a result, this is now a Discouraged Common Practice [REF-1488] [REF-1489], especially as the sole factor in protecting passwords. It is still strongly encouraged to force password changes in case of evidence of compromise, but this is not the same as a forced "expiration" on an arbitrary time frame.

Phase: Architecture and Design

Ensure that password aging is limited so that there is a defined maximum age for passwords. Note that if the expiration window is too short, it can cause users to generate poor or predictable passwords.

Phase: Architecture and Design

Ensure that the user is notified several times leading up to the password expiration.

Phase: Architecture and Design

Create mechanisms to prevent users from reusing passwords or creating similar passwords.

Phase: Implementation

Developers might disable clipboard paste operations into password fields as a way to discourage users from pasting a password into a clipboard. However, this might encourage users to choose less-secure passwords that are easier to type, and it can reduce the usability of password managers [REF-1294].

Effectiveness: Discouraged Common Practice

Demonstrative Examples 1

A system requires the changing of passwords every five years.

References 11

Digital Identity Guidelines (SP 800-63B-4)

NIST

07-2025

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf(2025-09-08)

ID: REF-1488

Password Guidance: Simplifying Your Approach

National Cyber Security Centre

14-09-2015

https://assets.publishing.service.gov.uk/media/5a806bb9e5274a2e87db9b6a/Password_guidance_-_simplifying_your_approach.pdf(2025-09-08)

ID: REF-1489

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

Discussion Thread: Time to retire CWE-262 and CWE-263

Kurt Seifried and other members of the CWE-Research mailing list

03-12-2021

https://www.mail-archive.com/cwe-research-list@mitre.org/msg00018.html(2022-10-11)

ID: REF-1305

Time for Password Expiration to Die

Lance Spitzner

27-06-2021

https://www.sans.org/blog/time-for-password-expiration-to-die/

ID: REF-1289

Time to rethink mandatory password changes

Lorrie Cranor

02-03-2016

https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes

ID: REF-1290

Security Myths and Passwords

Eugene Spafford

19-04-2006

https://www.cerias.purdue.edu/site/blog/post/password-change-myths/

ID: REF-1291

Password administration for system owners

National Cyber Security Centre

19-11-2018

https://www.ncsc.gov.uk/collection/passwords(2023-04-07)

ID: REF-1292

Digital Identity Guidelines: Authentication and Lifecycle Management(SP 800-63B)

NIST

06-2017

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf(2023-04-07)

ID: REF-1293

Let them paste passwords

National Cyber Security Centre

02-01-2017

https://webarchive.nationalarchives.gov.uk/ukgwa/20240701101110/https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords(2025-08-04)

ID: REF-1294

Likelihood of Exploit

Low

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

Related Weaknesses

ChildOf:

Weak Authentication (CWE-1390)

Taxonomy Mapping

CLASP

Notes

MaintenancePassword expiration was once widely advocated (see Mitigations), but it is no longer actively supported. It might be appropriate to Deprecate this entry, or at least change it significantly so that readers can consider alternate mechanisms to protect passwords (and/or avoid passwords entirely). However, older software - and even modern software - might still need to be mapped to this weakness if the software is obsolete or not actively maintained, and expiration remains the only option.