All insights
ProtectMicrosoft SecurityExplainer

Stop forcing password resets every 90 days: what Microsoft and NIST now recommend

Forced periodic password changes are now discouraged by both Microsoft and NIST; here's what to turn on instead so retiring them doesn't weaken your security.

Wired CIOFebruary 4, 2026
The short version
  • NIST's SP 800-63B guidelines now say not to require scheduled password changes, and to force a reset only when there's evidence of compromise, with Microsoft Entra ID supporting passwords that don't expire.
  • Forced 90-day rotation backfires by training predictable patterns like Spring2026 to Summer2026 and generating help-desk tickets without making accounts safer.
  • The replacement controls are enforcing MFA for everyone, not just executives, and turning on self-service password reset with users actually enrolled.
  • Roll it out as change management: group users, require one last strong reset, then verify in Entra ID that SSPR is enabled and MFA is enforced with no quiet exceptions before disabling expiration.
Bottom line: Trade the useless 90-day reset for MFA and self-service reset, then turn expiration off.

This past winter, the lone IT manager at a regional aviation-services firm vented about the policy he hated most: forcing every user to reset their password every ninety days. "This is hyper-annoying in so many ways," he said. The good news we gave him is that he can turn it off, and both Microsoft and the federal standards body now agree.

The rule has flipped

For years, periodic password expiration was treated as basic hygiene. That guidance has reversed. NIST, the National Institute of Standards and Technology, says in its digital identity guidelines (SP 800-63B) that you should not require users to change passwords on a schedule, and should force a change only when there's evidence the password has been compromised. Microsoft's identity platform, Entra ID, supports the same approach and lets you set passwords not to expire.

Why forced rotation backfires

The reasoning is simple once you've watched real people deal with it. When you make someone invent a new password every ninety days, they don't get more creative. They do the predictable thing: Spring2026 becomes Summer2026, or they add an exclamation point and call it a day. Forced rotation trains weak, guessable patterns and a lot of help-desk tickets, without actually making accounts safer.

What to do instead

Retiring password expiration isn't about loosening security. It's about replacing a control that doesn't work with ones that do:

  • Enforce multi-factor authentication (MFA) for everyone, not just the executives. This is the single biggest improvement you can make.
  • Turn on self-service password reset and get users actually enrolled, so a forgotten password is a two-minute self-fix, not a ticket.
  • Reset passwords only when there's a real signal of compromise.
A Trade Worth Making

Think of it as a trade: you give up the routine ninety-day reset that annoyed everyone and bought you little, and in exchange you put MFA and self-service reset in place, which genuinely protect the account. That's a good trade.

Rolling it out without surprises

This is change management, not just a toggle. A clean rollout looks like this: group your users, tell them the change is coming (people are happy to hear "no more routine resets"), and require one last reset to a strong password first. Then verify two things in Entra ID before you call it done: that self-service password reset is enabled and users are registered, and that MFA is truly enforced for every account, with no quiet exceptions.

If you're still forcing ninety-day resets and want to retire them the right way, MFA and self-service reset first, then expiration off, it's a straightforward project with a happier user base at the end. Let's talk it through.

Filed under
Explainer
Read more insights
Free strategy session

See where you stand. Then move forward.

Book a free intro call. We'll talk through where you are today and map a strategic plan for growth, protection, automation, and alignment.

A 30-minute discovery call, no obligationA full team of specialists at a fraction of in-house costA clear next step before you spend a dollar
Loading scheduler…