According to the Center for Internet Security, users should be required to change their passwords every 60 days. Various security technical implementation guides from the U.S. The Defense Information Systems Agency says that users should be required to change their passwords every 60 days.

Why does this guidance exist? By changing a password every few months you will prevent someone who has already stolen a password from having constant access to the account. They will be forced to discover your new password after it has been changed. Another reason is that a hacker could potentially crack the hash of a weak password within a short period of time (perhaps a few months or less). By requiring password resets any passwords that were successfully cracked by a hacker become outdated.

• Passwords should be at least 8 characters long but users are encouraged to use much longer passwords.
• Users should not be required to reset their passwords rather users should concentrate on using a long good quality password that is easy to remember but difficult to guess.
• Passwords should not be too complicated otherwise users will not be able remember them. As a result using mixed cases, characters, and numbers isn’t paramount as users are often tempted to write them down.
• With multi-factor authentication password resets are less important.

Password resets still play a role. You can mandate password resets when you detect suspicious activity on an account instead of every few months.

The logic behind both password approaches is sound and neither method is wrong. The conventional method where users need to change their passwords every two months can create more work for your IT helpdesk because they will have to assist users with their passwords more often as users are more likely to forget their new passwords or to let their passwords expire. By not requiring password resets you can reduce the workload on your IT helpdesk. Overall the new method from NIST when coupled with multi-factor authentication makes managing passwords easier for both IT staff and end users. You can also go with a hybrid approach, perhaps requiring users to reset their passwords every six months or annually. It is really up to what works best for your company culture and your compliance requirements.