Password Rotation - Periodic Credential Changes

About 2 min read

Password rotation is the operational practice of changing passwords at fixed intervals. Rules such as "change every 90 days" were once considered a security best practice, but in 2017 NIST (the U.S. National Institute of Standards and Technology) explicitly deprecated periodic changes in SP 800-63B, marking a major paradigm shift in password management. Today, "event-driven" rotation, which does not change a password unless there are signs of compromise, is becoming the international standard.

The Paradigm Shift Driven by NIST SP 800-63B

Revised in 2017, NIST SP 800-63B (Digital Identity Guidelines) clearly deprecated the periodic password changes that had previously been considered common sense. Behind this revision were several studies showing the negative effects that periodic changes have on user behavior. A study by the University of North Carolina (2010) revealed that many users forced to change passwords periodically made patterned changes that merely altered the trailing number, such as "Password1!" → "Password2!" → "Password3!".

Why Periodic Changes Backfire

Mandating periodic changes should, in theory, improve security, but many studies have shown that in practice it backfires for the following reasons.

Exceptions - Cases Requiring Immediate Change

Periodic changes are deprecated, but in the following cases an immediate password change is essential. This is the core of event-driven rotation.

• When a credential leak is confirmed (detected via Have I Been Pwned, etc.)
• When you receive notice of a data breach
• When signs of unauthorized access are recorded in the logs
• When a malware infection is detected and passwords may have been stolen
• When taking over the account of a departing or transferred employee

The Current Situation at Japanese Companies

Even now in 2026, nine years after the NIST revision, many Japanese companies still mandate periodic password changes. In 2018, the Ministry of Internal Affairs and Communications published the view that "periodic changes are unnecessary," yet quite a few organizations have not kept up with revising their internal rules. In particular, financial institutions and government agencies tend to retain the old rules, citing alignment with audit standards and compliance requirements. The article on corporate password policies explains in detail how to review them at the organizational level.

Steps to Transition to Event-Driven Rotation

For an organization to move from periodic changes to event-driven rotation, it must advance technical measures and revisions to its rules in parallel. Along with reviewing the password policy, it is important to introduce a password manager and put in place a mechanism for leak monitoring.

Common Misconceptions

The concern that "stopping periodic changes will lower security" is persistent, but it is a misconception. What NIST deprecated was "periodic" changes; it does not deny changing passwords altogether. Immediate change when a leak is suspected is, in fact, strongly recommended. What matters is switching the trigger for changes from "the passage of time" to "the occurrence of a security event." The psychological aspects of passwords are explained in detail in the article on password psychology.password security books on Amazon are also helpful for reference.

Real-World Use Cases

"In 2023, we abolished the rule of changing passwords every 90 days and introduced a leak-detection system integrated with the Have I Been Pwned API. Password reset requests dropped from 150 per month to 20, greatly reducing the help desk's workload. At the same time, we promoted how to create secure passwords through company-wide training, and password quality has also improved."