Re: What about sites that force you to make it easier?
Same with the National Cyber Security Centre in the UK.
Don't enforce regular password expiry
Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.
Forcing password expiry carries no real benefits because:
* the user is likely to choose new passwords that are only minor variations of the old
* stolen passwords are generally exploited immediately
* resetting the password gives you no information about whether a compromise has occurred
* an attacker with access to the account will probably also receive the request to reset the password
* if compromised via insecure storage, the attacker will be able to find the new password in the same place