The new requirements for using the service online, including synchronizing references, is that we will need to change our passwords every 180 days. I recommend against this. I work on government and military contracts, where the lowest level of requirement is listed in NIST standard 800-171. Between 2009 and 2015, they determined that the most common reason someone’s password was compromised was that they changed it. As a result, since 2015, this standard no longer suggests changing passwords frequently. When we recently set up a secure server so that we could store information that the government defines as “controlled, unclassified information” (one step below classified), the directions on passwords included that they should be changed only when necessary – such as when the password database was compromised. NIST’s most recent guidance on this, SP 800-63, confirms this idea, but also does point out that password database breaches are relatively common; it suggests various methods of avoiding this problem.
As I implied, if not stated, I recommend that the requirement for changing passwords every 180 days be removed, with more effort being put into securing the password database instead.
OMG! Please, Clarivate, don’t do this. Whatever issue you’re trying to mitigate by this move, please try to do it properly and not in a way that makes using this product even more cumbersome. Or at least, try another workaround. Password security issues provenly aren’t resolved by requiring a new one periodically.
This new policy change does not align with NIST guidance at all. As noted, it may make things less secure. I contacted support to provide feedback but the response was really a non-response. It didn’t address my concerns at all.
Totally agree that there is no need to “protect” my database with a new password regularly. I also complained to support just to make me feel better. So glad I am nearing retirement!
This is exactly what someone suggested might happen…..
I have the feeling that they are just marking time and “adding features” for the marketing to get the big licence holders (universities etc) to automatically update. When they stop and the cash cow drys up, that will be the end of End Note, whcih is a pity.
In another thread, the discussion is they have added “tags” but you can’t do much with them compared to other systems. It just seems to be a “tick the box” for we have tags, sort of confirming my thought above. Other commentators say there have been no meaningful improvements for many years. Cite while you write still doesn’t work in 64 bit WS Word?
I stopped on Endnote 21 (having started on Endnote 8, though I tended to update every other version) and my next move will be to something else.
I’ve just signed up to the forum to complain about the password change rule every 180 days.
I think it’s downright awful, everyone who knows about this is against this, 2FA or hardware keys with better password hashing on the server (EndNote) side would be far better than this.
Tedious beyond belief.
I am also looking at alternative solutions, I am increasingly tired of ignoramuses dealing with password issues and getting it so fundamentally wrong!
I changed my password and now many of my PDF’s o not open. I kept getting a message that someone else had opened a copy of my library, which I do not think can happen, and the message further told me to use the library recovery in Tools, I opened Tools but there is nothing about library recovery. The PDFs will still open on the Web version of my library. As I need this library for my research I am anxious to get it back into working order.
I have put in a complaint and explained that it is in my professional opinion it is counterproductive.
With PW changes every 180 days, people will write them on a post-it on their desk or in an on-screen note. Many people will just cycle the minimum number of passwords they can get away with or just do an incremental pw. Cat!1, Cat!2, Cat!3 etc
Where things shared there will be emails or written notes on paper passing h the PW around every 180 days.
Most systems do not requite a 180-day PW change because for most systems and users in makes the system less safe. Where it is done it is on critical systems where you have professional staff and solid procedures that everyone takes seriously, usually in secure buildings.
This is the response I got, which is a template answer and complete BS: “to ensure compliance with modern cybersecurity standards and to enhance account protection.” is not correct. When you do what Clarivate are doing it actually decreases security. Perhaps they are trying to drive people off the on-line system?
Dear Chris,
Thank you for contacting Clarivate EndNote Support.
I understand your concerns regarding the new password expiration policy. I can share some details about this change.
As part of Clarivate’s ongoing commitment to protecting user accounts and aligning with industry best practices, a new password expiration policy will take effect on February 12, 2026. Under this policy, users will be required to update their passwords every 180 days (or 6 months).
Our Information Security teams have implemented this change across all Clarivate platforms to ensure compliance with modern cybersecurity standards and to enhance account protection.
However, your feedback is very valuable to us. I encourage you to share your thoughts directly with our development team here:https://community.endnote.com/
They actively review user feedback and suggestions for future improvements.
Thank you for taking the time to share your perspective and for being a long-time EndNote user.
Have a great day ahead.
For a quick reference to common solutions, please visit our newEndNote FAQ.
Kindly note that our number has changed. Our new number can be found here (Please press Option 2 for EndNote)
Regards, Dharvin Chandran
Customer Care Advisor - EndNote
And I thought mine was individual to me This is a disappointment as I gave a fairly detailed email explaining why in my professional opinion I think it is a bad idea to have a blanket command to force a new password every 180 days.
Interestingly, although I am the originator of this thread, I can no longer log in to it.
My main comment on this (and I got the same boilerplate answer) was:
This is very much not compliant with modern cybersecurity standards, nor does it increase security. NIST SP 800-171. In 2009, NIST removed the suggestion of changing passwords frequently, and wrote it into the 2015 standard. SP 800-171 is the U.S. standard for cybersecurity and is titled “Protection Controlled Unclassified Information in Nonfederal Systems and Organizations.” Its current revision (I believe) is from 2023, and says that individuals should only be asked to change their passwords when there is a belief that their password was compromised.
If Clarivate believes we need to change our passwords every 180 days, that seems to suggest that they expect their system to be so lacking in security that the average user’s account will be compromised at least twice per year. I have requested clarification from them on this (it has been a few months without an answer), because if that is the case I may have to give up the web backup and EndNote Web, since I do use this information, at times, for controlled information.
I worked with two cybersecurity organisations (until I retired a couple of years ago) and it is now understood that on non-critical systems and especially those used by larger numbers of people that are not using classified information (ie the public) it is very counterproductive to frequently change passwords. This is why passwords are not changed every 6 months for on-line banking, social media, library access, on-line shopping accounts etc. In fact, for most things for the reasons @russtms1 gives above.
If it was the apocryphal “missile launch codes” then yes, change them monthly, but the only people involved are a very small number of highly trained and disciplined people under military control. Not a large number of the public.
So despite the template email Clarivate are not doing this for security reasons. That is clear.
It may be that Clarivate want to dissuade people from using the on-line system because it uses Clarivate’s resources. If they can get people to stop using the on-line service by making it more difficult to use “for their own safety” they save money on space and servers. The more they can ease people off the on-line system, the easier it will be to eventually close the service with fewer people complaining.
Thank you all for taking the time to share your feedback. We appreciate the thoughtful and well-informed perspective you’ve provided.
We understand your concerns regarding periodic password changes and agree that modern security guidance - including NIST SP 800-63B - emphasizes the importance of strong, unique passwords and multi-factor authentication over frequent forced changes. Your point about the potential for password reuse and the added friction for users of password managers is well taken.
The upcoming 180-day password rotation requirement is being introduced as part of a broader security and compliance initiative designed to align with internal risk assessments and certain regulatory and contractual obligations across the whole Clarivate customer base. While we continue to support strong passwords and encourage the use of password managers, this policy serves as an additional safeguard within our current authentication framework.
That said, we recognize that security best practices continue to evolve. We are actively evaluating enhancements to our authentication strategy, including expanded use of multi-factor authentication, to better balance security effectiveness with user experience. Feedback like yours is valuable in helping inform those discussions, and we have shared your comments with our security and product teams.
Thank you again for raising this and for your continued partnership with Clarivate. Please don’t hesitate to reach out if you have any further questions or suggestions.
This is a disappointment as I gave a fairly detailed email explaining why in my professional opinion I think it is a bad idea to have a blanket command to force a new password every 180 days.