As an IT manager, you discover that the company forces users to change their passwords every 90 days. According to current NIST guidance, which single update would best strengthen security while reducing user frustration?
Allow users to keep the same password indefinitely with no other changes.
Reduce the expiration interval to every 45 days.
Eliminate the 90-day expiration and require MFA plus a minimum 15-character password length.
Keep the 90-day expiration but require at least one special character and number in every password.
Replacing periodic password expiration with multi-factor authentication (MFA) and a minimum password length of 15 characters follows NIST SP 800-63B. The framework states that organizations should NOT impose routine password changes and should encourage MFA for stronger assurance. Shortening the interval maintains the same problem, adding complexity rules contradicts NIST, and removing expiration without adding compensating controls leaves a single-factor system vulnerable.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is multi-factor authentication (MFA)?
Open an interactive chat with Bash
Why is increasing password complexity better than frequent password changes?
Open an interactive chat with Bash
What are the disadvantages of removing the password expiration policy entirely?