I recently received notice that Clarivate will require passwords to be changed every 180 days starting in first quarter of next year. I was wondering why this change is being made. This is an antiquated technique that has actually been shown to DECREASE security by encouraging password reuse across different sites. Two-Factor authentication is a much better strategy.
NIST (the National Institute of Standards and Technology of the US) actually updated its standards to advise AGAINST forced password change unless there is evidence of a breach.
See NIST SP-800-63B
I use a password manager (Bitwarden) and use 20+ character-long strings of random characters, so this new policy isn’t too much of a burden, but it is a PIA to have to change the password and then go into the software and change it there as well. All in the name of making a change that has been shown to make things less secure.
Yep. I complained to support with that information - but got an AI reponse that it was for our benefit. I am no longer recommending this product to my colleagues. It is past its prime.
Thank you for taking the time to share your feedback. We appreciate the thoughtful and well-informed perspective you’ve provided.
We understand your concerns regarding periodic password changes and agree that modern security guidance - including NIST SP 800-63B - emphasizes the importance of strong, unique passwords and multi-factor authentication over frequent forced changes. Your point about the potential for password reuse and the added friction for users of password managers is well taken.
The upcoming 180-day password rotation requirement is being introduced as part of a broader security and compliance initiative designed to align with internal risk assessments and certain regulatory and contractual obligations across the whole Clarivate customer base. While we continue to support strong passwords and encourage the use of password managers, this policy serves as an additional safeguard within our current authentication framework.
That said, we recognize that security best practices continue to evolve. We are actively evaluating enhancements to our authentication strategy, including expanded use of multi-factor authentication, to better balance security effectiveness with user experience. Feedback like yours is valuable in helping inform those discussions, and we have shared your comments with our security and product teams.
Thank you again for raising this and for your continued partnership with Clarivate. Please don’t hesitate to reach out if you have any further questions or suggestions.