2025-08-05 –, Tuscany
For decades, organizations have enforced password rotation policies under the assumption that regular resets increase security. But do they really?
In this talk, we challenge the value of traditional password expiry policies using real-world data, cracked password timelines, and behavior analysis. By analyzing enterprise credential datasets before and after forced rotations, we reveal that most users simply mutate old passwords — creating predictable, pattern-based credentials that are easier to crack, not harder.
We’ll discuss how password expiration policies:
Decrease entropy over time
Encourage poor user behaviors
Fail to meaningfully reduce compromise risk
Instead, we'll introduce alternatives such as : time-to-crack scoring, event-driven rotations, and credential risk thresholds that align better with actual attacker models. If your org is still enforcing 90-day resets, this session will give you the ammunition — and the data — to rethink that approach entirely.
Our talk debunks the myth that routine password expiration improves security. Many audit outcomes and recommendations given push for password expiration as a way to prevent attacks. Using historical and real cracked password data, we show how forced rotations lead to predictable patterns and weaker passwords — not stronger ones. And propose smarter, risk-based alternatives to legacy policies.
Dimitri Fousekis / Rurapenthe - has been in the security industry for over 20 years, and is the CTO of Bitcrack Cyber Security. Having enjoyed many years of Passwords, and password-related talks, Dimitri has a passion for deception based cyber security, as well as OSINT and cybersecurity intelligence. He has spoken at many conferences including BSidesLV, BSidesZA, PasswordsCon Cambridge & Vegas, BSides Athens and others.