Announcing Password Rotation Policies: a feature you shouldn’t use

PropelAuth has introduced a password rotation policy feature for organizations, allowing users to change their passwords after a set number of days and ensuring the new password differs from a specified number of previous passwords. Despite being fully customizable and opt-in, the company advises against its use due to evidence that periodic password changes often lead to predictable patterns rather than stronger security. This is supported by research from UNC Chapel Hill and updated NIST guidelines, which recommend against forced periodic changes, suggesting instead the use of longer passwords, password managers, and multifactor authentication. However, PropelAuth developed the feature to accommodate customers in industries with outdated security policies, emphasizing that it should only be used if absolutely necessary, as policy changes in large organizations can be slow and complex.