Password duration

Some policies require users to change passwords periodically, e.g. every 90 or 180 days. The benefit of password expiration, however, is debatable. Systems that implement such policies sometimes prevent users from picking a password too close to a previous selection. This policy can often backfire. Since it's hard to come up with 'good' passwords that are also easy to remember, if people are required to come up with many passwords because they have to change them often, they end up using much weaker passwords; the policy also encourages users to write passwords down. Also, if the policy prevents a user from repeating a recent password, this means that there is a database in existence of everyone's recent passwords (or their hashes) instead of having the old ones erased from memory.

Finally, users may change their password repeatedly within a few minutes, and then change back to the one they really want to use, circumventing the password change policy altogether.The human factors aspects of passwords must also be considered. Unlike computers, human users cannot delete one memory and replace it with another. Consequently changing a memorized password is very difficult, and most users resort to choosing a password that is easy to guess. Users are often advised to use mnemonic devices to remember complex passwords. However if the password must be repeatedly changed, mnemonics are useless because the user would not remember which mnemonic to use.

Requiring a very strong password and not requiring it be changed is often better. However, this approach does have a major drawback: if an unauthorized person acquires a password and uses it without being detected, that person may have access for an indefinite period.It is necessary to weigh these factors: the likelihood of someone guessing a password because it is weak, vs. the likelihood of someone managing to steal, or otherwise acquire without guessing, a stronger password.