Photo by Markus Spiske on Unsplash

Every 90 days, like clockwork, my bank sends me a notification: "For your security, you must change your password." I groan. I have seven passwords to manage across financial accounts, and each one has increasingly Byzantine requirements. At least 12 characters. One uppercase letter. One lowercase letter. One number. One special character. No repeating characters. Can't contain your username. Can't use any of your last 47 passwords. It's maddening, and according to cybersecurity researchers, it's also largely pointless.

The password-change mandate is one of modern life's great contradictions. Banks insist on it constantly. Your employer demands it quarterly. Every government agency treats mandatory password rotation like gospel truth. Yet the actual evidence supporting this practice has evaporated like morning dew under scrutiny.

The Origins of a Misguided Myth

The mandatory password change policy originated in the 1980s, when the National Institute of Standards and Technology (NIST) recommended forcing users to update their passwords regularly. The logic seemed airtight at the time: if someone had gained unauthorized access to your password, forcing a change would lock them out.

This made perfect sense in 1985. Passwords were often written on Post-it notes stuck to monitors. Security breaches happened slowly. Hackers were scattered individuals rather than organized crime syndicates with industrial-scale tools. The recommendation spread like gospel, becoming embedded in corporate security policies, government mandates, and banking regulations worldwide.

Then everything changed. In 2016, NIST itself—the very organization that birthed this policy—completely reversed course. Their new guidance explicitly stated that mandatory password expiration might actually harm security. They recommended eliminating it entirely, except in cases where a breach had already occurred.

Few people noticed. Fewer still cared.

The Problem with Predictable Panic

Here's what happens when you force people to change passwords every 90 days: they panic and get lazy. I've watched colleagues do this. When facing the dreaded notification, most people don't create some brilliant new passphrase. They make a minor tweak. Summer2024! becomes Summer2024!1. SecurityPa55word becomes SecurityPa55word2. Some add a number to the end. Others capitalize differently.

Security researchers call these patterns "predictable transformations," and they're embarrassingly easy to crack. A hacker who obtains your old password can often guess your new one within three attempts. You've essentially created a weakened version of your original password while feeling virtuous about security.

This is supported by actual data. A 2019 study by researchers at Carnegie Mellon University found that mandatory password changes increased login failures by 24% and didn't meaningfully reduce successful unauthorized access. Users became frustrated, wrote passwords down, or used simpler variants that were actually less secure than their original choice.

Worse still, the frustration has psychological consequences. When your bank forces you to change a password you've been using for three years, you become less likely to trust that bank's other security recommendations. You're conditioned to view security theater as security itself.

Why Banks Can't Let It Go

If the science is so clear against mandatory password rotation, why do 73% of financial institutions still require it? Inertia is part of the answer. Regulations written in the 1990s referenced NIST guidelines from the 1980s. When those regulations were digitized, nobody updated them.

But there's another reason: liability protection. Imagine a bank gets breached. Regulators investigate. The first question: "Were you following best practices?" If your policy includes mandatory password changes, you can point to that requirement and say, "Look, we did something." It doesn't matter that the something was scientifically unsound. It matters that you can document it.

This is called "security theater," and it's rampant across industries. It makes organizations feel protected while doing little to actually protect users. Meanwhile, the actual threats—phishing emails, credential stuffing, social engineering—go largely unaddressed because they're harder to implement and require more investment.

You can see this in how banks spend security resources. They'll implement aggressive password requirements and force changes quarterly. They'll lock you out after five failed login attempts. But many still use SMS for two-factor authentication, which security experts consider outdated and vulnerable to interception.

What Actually Works (And Why Nobody Does It)

Modern security experts recommend a radically different approach. Stop forcing password changes. Instead, focus on actually strong passwords—either long passphrases or randomly generated strings stored in password managers. Implement real two-factor authentication using authentication apps rather than SMS. Monitor for suspicious activity using machine learning.

These methods work better. They're also more expensive to implement and harder to explain to regulators who are checking boxes on compliance checklists. So banks don't do them. They keep forcing you to change your password because it's cheap, documented, and defensible.

Some forward-thinking organizations have started making changes. Microsoft eliminated mandatory password expiration across Office 365. GitHub did the same. A few innovative banks have followed suit. But the majority? Still stuck in the 1990s, still sending you quarterly notifications that accomplish nothing except frustration.

The Real Cost of Compliance Theater

The broader issue here is that mandatory password changes waste your time and attention—resources that are actually finite. Every 90 days, you spend 10-15 minutes creating a new password, resetting it across devices, and updating your password manager. Multiply that across millions of banking customers, and you're talking about millions of hours spent on an activity that decreases security rather than increasing it.

This cost compounds when you consider that while you're struggling to remember which variation of your password you used this quarter, actual threats are evolving. Phishing attacks have become sophisticated enough to fool security professionals. Credential stuffing attacks—where hackers use breached passwords from other sites—are becoming more common. Your bank is focused on preventing the threat from 1995 while ignoring the threats from 2024.

If you're frustrated with mandatory password changes, you have every right to be. You're frustrated because the system is frustrating—not because you're doing something wrong. You're being asked to participate in security theater while the actual criminals are using much more effective attack methods that your bank isn't adequately defending against.

Until regulations change and liability frameworks shift, banks will keep forcing password changes because it's easier than explaining to a regulator why they didn't. For now, all you can do is make your passwords as strong as you can, use a password manager to handle the complexity, and accept that you're experiencing security ritual rather than actual security.

For more on how organizations implement outdated practices without justification, read about how companies keep burying features you've already paid for—another example of priorities that don't actually serve customers.