“Regular password changes actually decrease security, for a few reasons: 1) your poor users are going to start using sucky passwords because they’re easy to remember and to increment, and 2) doing something security-related on a regular, predictable schedule (quarterly? monthly?) is a gift to hackers.
This regular password change-out distracts the IT department for a predictable chunk of time on a predictable schedule. Predictability is a gift you don’t really want to hand to attackers.
At any rate, being influenced by the myth that regular password change equates to good security, Morris thought it would be neat to set password expiration based on the strength of a password. He couldn’t find a way to measure password strength, though.
Hence, he started building a collection of tools to do just that.
Those open-source tools are out now. Morris handed them over to the Open Web Application Security Project (OWASP) in January.”