Hoppa till huvudinnehållet
It looks like you are using Internet Explorer, which unfortunately is not supported. Please use a modern browser like Chrome, Firefox, Safari or Edge.

Your password policy sucks - stop expiring passwords

Publicerad i Teknologi
Samu Warinowski smiling next to a bank wall with two grinning gargoyles.

Skriven av

Samu Warinowski
Samu Warinowski
Site Reliability Engineer & Service Manager

Samu Warinowski is a Site Reliability Engineer and Service Manager at Nitor. The Turku-based engineer works in Nitor's Care Bear team, which provides round-the-clock maintenance services for a diverse array of clients. Warinowski skillfully combines technical expertise with business insight. Outside of work, he plays bass in the Ruissalo Amping band.

Artikel

2 september 2025 · 6 min lästid

Samu Warinowski, a Site Reliability Engineer and Service Manager at Nitor, is passionate about many things, but there is one thing above all. Digital security in a modern and user-friendly way. Samu shares the latest updates on corporate password guidelines and breaks down why the forced password expiration policy is outdated and risky. 

I was having a beer with a friend and started my usual rant about passwords. I told them that “Aurinko1!” is one of the worst passwords imaginable.

They replied: “That’s my mom’s Netflix password!”

I went home and started writing this article.

Let’s face it: we all hate mandatory password changes. For many, the company or school still forces password updates every 90 days, often with strict complexity rules like uppercase letters, numbers and symbols.

The result? A system that leads to weak, easily guessable passwords like “Password2025!”. I will now break down why this approach is outdated and ineffective - and what to do instead.

Why do passwords matter?

Passwords are the most common method of authentication and protection. They usually act as the first and sometimes only line of defence against unauthorised access, making them a prime target for hackers. 

If we’re using weak passwords, we are giving hackers an easier way to exploit them, thus gaining access to critical and sensitive information. In the digital world, that information includes e.g. your bank account, email, social media, and work files. Password cracking is usually cheap, and the financial reward could be exponentially bigger. 

Once a password is compromised, an account can be used "silently" without obvious warning signs, making it easy to exploit the company or resell the account for profit. Unlike a stolen wallet that you'd notice immediately, hackers can use your compromised password for weeks or months without you knowing. During this time, they might empty your accounts, steal your identity, or use your email to reset passwords for other services you use.

What the experts say

The National Institute of Standards and Technology (NIST) is a U.S. federal agency that develops measurement standards and promotes technological innovation to support industry and organisations worldwide. NIST's Cybersecurity Framework provides organisations with practical guidance on managing cybersecurity risks and protecting their digital assets. 

In their latest update, with the final version released on July 31, 2025, NIST does not recommend regular password changes and complexity rules. 

The most recent guidelines

NIST's current position on password policies is based on modern research. Here are the essential points regarding their SP 800-63B update:

  1. Don’t force regular password changes - unless a breach is suspected

  2. Don’t require complexity through symbols - focus on length, not random characters

  3. Don’t disable copy-paste and password visibility toggles - so we make Password Managers easy to use (more on this later)

Why older rules backfire

NIST used to recommend regular password changes. That was 9 years ago! These are the reasons why they stopped:

1. Forced changes encourage weak patterns

People can’t create and remember a unique password every 90 days. Instead, they iterate predictable patterns:

password → password1 → password2

This predictability is a gift to hackers.

2. “Complex” passwords aren’t complex

Security policies often ban passwords like “password”, so people go with Password2025!.

That’s easy for a hacker. Attackers already know the pattern: capitalize the first letter, add a number, then a symbol.

3. Hackers exploit common patterns

Guess what gets cracked fast? Words like:

  • password

  • letmein

  • aurinko (=sun, especially common in Finland for some reason)

If your password contains one of these common words, you should act as if the password has already been hacked. Change it as soon as possible.

Even a “harder to guess” word like CareBear1! becomes trivial to crack once you assume the last two characters.

How to create a strong password?

So, what to do instead? Here’s my three easy tips. 

1. Use passphrases, not passwords

Length matters more than randomness. A long passphrase containing words not directly related to each other (but maybe creates a story you remember) like:

dog-expert-cooking-geolocation-running-weather

…is far more secure than Th1s!sMyP@ssw0rd. Hackers rely on databases full of known words and patterns, and long passphrases make them impossible to scour. Password Managers can generate passphrases for you automatically, so it’s as easy as creating a password. What’s a Password Manager? Read further.

2. Use a password manager company-wide

Create strong and unique passwords for every service without having to remember them all, and store them in a password manager. This ensures that you have a unique password for all of your accounts. It makes our lives easier, and everyday use of passwords is a breeze.

At Nitor, we use Bitwarden. It:

  • Stores all your passwords securely

  • Generates new, strong ones for each account

  • Only requires one long Master Password

3. Enable 2-Factor Authentication (2FA)

Pair your password manager with 2FA (e.g. Microsoft Authenticator).

When logging in from a new device, the app generates a short, one-time code every 30 seconds to verify you. So even if the password is cracked, you cannot get through without access to the authenticator.

The future: no passwords at all

Passkeys are here, and they’re the future. A passkey is a method for authentication that eliminates the need for passwords. Users can log into their accounts using biometrics, such as fingerprint or facial recognition, or a device's screen lock method, like a PIN or pattern. How do they work?

  • A public key is saved by the app. This information can be totally public; no breach can be done with a public key.

  • A private key is saved in your device or password manager. This is the private part, the only thing that will make the public key open the app.

  • You log in by proving the private key matches, no password needed. It’s seamless, secure, and nearly uncrackable.

Passkeys are safer and simpler. Adoption is growing fast and will become available everywhere. For example, Google, Apple and Microsoft support them already in their solutions. Because your password manager can store passkeys as well, you may use it when it’s viable, use passphrases when it’s not, and still only use one strong master password.

Epilogue

It’s been nine years since the recommended password policies were changed, yet the majority of companies around the world still use outdated guidelines. Ignoring modern best practices gives hackers a direct advantage, making their targets much easier to attack. Hackers take advantage of weak, reused or predictable passwords, and the old guidelines encourage people to make these kinds of passwords.

The simplest approach to enforcing security guidelines often proves to be the most effective. When the process becomes too demanding, users naturally look for shortcuts. This often leads to weaker security practices, such as using easily remembered (and easily guessed) passwords, especially when they are forced to update them frequently. By minimising friction and designing with usability in mind, we reduce the risk of users undermining the very protections we’re trying to enforce.

 If we have ways to improve security while also making systems easier and more convenient to use, I can’t think of any reason not to.

Let’s stop pretending forced password changes and random symbols are good security. Start building actually strong, user-friendly systems and processes.

Skriven av

Samu Warinowski
Samu Warinowski
Site Reliability Engineer & Service Manager

Samu Warinowski is a Site Reliability Engineer and Service Manager at Nitor. The Turku-based engineer works in Nitor's Care Bear team, which provides round-the-clock maintenance services for a diverse array of clients. Warinowski skillfully combines technical expertise with business insight. Outside of work, he plays bass in the Ruissalo Amping band.