Microsoft\u2019s April 24 decision to remove the \u201cMaximum Password Age\u201d (forced expiration) default from Microsoft Windows has sparked a lot of discussion. The default (and recommended) maximum password age had been 45 to 60 days, depending on the OS version. Removing the forced expiration default follows the recent National Institute of Standards and Technology (NIST) recommendation\u00a0not to require a password change until you know a password has been compromised.The thinking behind Microsoft\u2019s move is that passwords are usually compromised through means other than password guessing\/hacking, which is what mandatory expirations are intended to minimize. Worse, forcing people to change passwords frequently encourages them to re-use the same passwords or patterns across multiple websites. Most passwords are stolen through phishing attacks, and a forced password change won\u2019t prevent that.Should you follow NIST\u2019s and Microsoft\u2019s lead and eliminate forced password expiration policies? I don\u2019t think so. Here\u2019s why.Compliance still requires password expirationI\u2019ve yet to meet the organization that isn\u2019t subject to some sort of cybersecurity regulation or law (PCI-DSS, HIPAA, SOX, NERC). All these regulations require automated, frequent password changes. Good luck if you believe NIST\u2019s new password recommendations. You\u2019ll be trapped into the old recommendations until the regulations change.You rarely know when a password is compromisedMy biggest gripe with the \u201cdon\u2019t change your password unless you know it is compromised\u201d recommendation is that most people don\u2019t know if their password has been compromised. According to every \u201cdwell time\u201d datapoint I\u2019ve read, the average hacker has full access to the network and its passwords for many months before they are discovered.Troves of hundreds of millions of passwords, some compromised years prior, are often found out on the dark web or a \u201cpastebin\u201d website. Many of those passwords are still good because many people don\u2019t change their passwords. That fact alone should be seen as advertisement for mandatory password changes.By forcing users to periodically change their passwords on a routine basis, the likelihood that any compromised password attack or dump has it is minimized. This is the biggest reason, after compliance, to have an automatic password expiration.Forced changes might not increases password reuseAgain, forced password changes are believed to increase the chances that people will re-use passwords or patterns across multiple websites and services. I haven\u2019t seen any data from NIST showing that it is actually the case. The data might exist, but I can\u2019t find it after years of trying.When sites periodically require you to change your password, rarely does a person then change every password on every website. What usually happens is the user changes that one password and does nothing to the other sites. This is especially true on corporate networks. When an organization requires more frequent password changes than most other sites, it virtually guarantees that it will have either a unique password or one that is shared across fewer websites. Not requiring password changes makes it easier, not harder, for someone to share passwords among websites.NIST even conjectures that more complex passwords make it more likely that people will re-use them across multiple websites. Again, I\u2019ve not seen data to support that, and I\u2019m not sure it\u2019s even possible. If you like to use long or complex passwords as a default, you\u2019ll find that what counts as long and complex varies between websites. Some websites accept eight- to 12-character lengths. Other do not accept any characters except for letters. Some websites do not accept anything but numbers and letters. Good luck if you want to re-use your long and complex password across multiple sites.Password guessing and cracking still happensEven though password guessing\/cracking is not as popular as it once was, it still happens. It still leads to tens of thousands of compromises. Myriad malware programs can guess against people\u2019s and organization\u2019s passwords. These bots guess against Windows Remote Desktop Protocol (RDP), Putty, VNC, SSH and online logon portals every second of every day. All can be defeated by using long or complex passwords, but the fact is all the compromised victims didn\u2019t. By requiring forced password changes, it gives the guesser\/cracker less time to get to the plaintext password, regardless of the password\u2019s length or complexity.As long as password guessing or cracking happens, what\u2019s the harm in offsetting the risk? Want to change my mind? Show me data that says forced changing of passwords creates far greater risk. I have not seen that data, but I have read about tens of thousands of people being compromised by password guessing bots.I can steal your password via emailI can construct an embedded link in an email that, if I can trick you into clicking on it, instructs your browser to send me your Windows password hash. There are ways to prevent this, but most organizations do not implement the correct defenses, especially with mobile users moving off their network on a regular basis.It doesn\u2019t send me your plaintext password. It sends the Windows NTLM challenge response handshake, from which many hacking tools can extract your password hash. Your password hash can be replayed in other types of attacks or it can be cracked to your plaintext password.Eight-character password hashes are basically child\u2019s play to crack, no matter what their complexity. I\u2019ve seen many demonstrations of 12-character password hashes broken, and even a few 16-character passwords broken. None of them were super complex, but they did look like a representation of the average password I've seen in most environments. As long as I can trick you into clicking on that embedded link and get your password hash, not periodically changing passwords is an elevated risk.How often should you change your password?Microsoft officially did not recommend never expiring passwords. They left it up to the admin. It\u2019s a subtle difference.If you need to comply with a regulation that requires automated password expirations, then this is a moot point. You\u2019ve got to do what the regulation requires. If you can choose what maximum password age is best for your organization, it depends on the organization\u2019s risk acceptance. I feel that forced changes every 30 to 45 days is insane. At that short of an interval, you really are asking for re-use problems. The average organization probably does every 90 days, and to me (without any real data to show me the right delineations), that feels appropriate for organizations that want significantly less risk than most organizations. I can even see organizations with average risk profiles going 180 to 365 days without forcing a password change.Getting rid of all forced password expirations in all organizations is a recipe for more compromises, at least until someone can show me real-life data that says otherwise.