Password Expiration Dates

Q: Do you have support for password expiration dates?


A: We’ve found that, except for the case of a new account, forcing password expiration usually results in weaker, more guessable passwords because people simplify their passwords when they have to change them regularly.

Because of this, we’ve been hesitant to offer such a feature. We recommend increasing password complexity requirements instead.

That said, if password expiration something you must have, it would be possible to integrate it into your Login Handler without too much trouble. Just set a custom attribute with the date of the last change. If that attribute is missing, set it to the user’s creation date. You can also setup a webhook (or just scan the user’s event history) for a password reset event, so you can update the custom attribute then too.

Tagged with: passwords password security

Questions? Find a Typo? Get in touch.