Why forcing password resets worsens security

Britain’s CESG explains why they no longer recommend forcing users to reset their passwords:

The majority of password policies force us to use passwords that we find hard to remember. Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.

To make matters worse, most password policies insist that we have to keep changing them. And when forced to change one, the chances are that the new password will be similar to the old one.

Attackers can exploit this weakness.

The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.

Another solution is to use a password manager like 1Password that generates random, unique passwords for each site you use—and then secures them all behind a password only you know. You won’t have to worry about reusing passwords or remembering all of them, and dealing with periodic password resets is a cinch.