Return to Answer

The research shows that requiring time-based password changes increases re-use (users will use a password from another site, since they've already got it memorized, or will use a near-duplicate of their previous password), decreases password complexity, and increases the odds of the password getting written down somewhere.

The answers and papers in this related question would be a good starting point for further reading, for example, the introduction and conclusion of this one.

In short, if you want to minimize password re-use, don't require time-based password changes. The best way I've seen to encourage unique passwords is to provide the user with a randomly-generated password at account creation, rather than letting them specify a password.

The research shows that requiring time-based password changes increases re-use (users will use a password from another site, since they've already got it memorized, or will use a near-duplicate of their previous password), decreases password complexity, and increases the odds of the password getting written down somewhere.

The answers and papers in this related question would be a good starting point for further reading, for example, the introduction and conclusion of this one.

In short, if you want to minimize password re-use, don't require time-based password changes. The best way I've seen to encourage unique passwords is to provide the user with a randomly-generated password at account creation, rather than letting them specify a password.

The research shows that requiring time-based password changes increases re-use (users will use a password from another site, since they've already got it memorized, or will use a near-duplicate of their previous password), decreases password complexity, and increases the odds of the password getting written down somewhere.

The answers and papers in this related question would be a good starting point for further reading, for example, the introduction and conclusion of this one.

In short, if you want to minimize password re-use, don't require time-based password changes. The best way I've seen to encourage unique passwords is to provide the user with a randomly-generated password at account creation, rather than letting them specify a password.

The research shows that requiring time-based password changes increases re-use (users will use a password from another site, since they've already got it memorized, or will use a near-duplicate of their previous password), decreases password complexity, and increases the odds of the password getting written down somewhere.

The answers and papers in this related question would be a good starting point for further reading, for example, the introduction and conclusion of this one.

In short, if you want to minimize password re-use, don't require time-based password changes. The best way I've seen to encourage unique passwords is to provide the user with a randomly-generated password at account creation, rather than letting them specify a password.

The research shows that requiring time-based password changes increases re-use (users will use a password from another site, since they've already got it memorized, or will use a near-duplicate of their previous password), decreases password complexity, and increases the odds of the password getting written down somewhere.

In short, if you want to minimize password re-use, don't require time-based password changes. The best way I've seen to encourage unique passwords is to provide the user with a randomly-generated password at account creation, rather than letting them specify a password.

The research shows that requiring time-based password changes increases re-use (users will use a password from another site, since they've already got it memorized, or will use a near-duplicate of their previous password), decreases password complexity, and increases the odds of the password getting written down somewhere.

The answers and papers in this related question would be a good starting point for further reading, for example, the introduction and conclusion of this one.

In short, if you want to minimize password re-use, don't require time-based password changes. The best way I've seen to encourage unique passwords is to provide the user with a randomly-generated password at account creation, rather than letting them specify a password.