How often should we change passwords?

russtms1 · November 7, 2025, 7:39pm

The new requirements for using the service online, including synchronizing references, is that we will need to change our passwords every 180 days. I recommend against this. I work on government and military contracts, where the lowest level of requirement is listed in NIST standard 800-171. Between 2009 and 2015, they determined that the most common reason someone’s password was compromised was that they changed it. As a result, since 2015, this standard no longer suggests changing passwords frequently. When we recently set up a secure server so that we could store information that the government defines as “controlled, unclassified information” (one step below classified), the directions on passwords included that they should be changed only when necessary – such as when the password database was compromised. NIST’s most recent guidance on this, SP 800-63, confirms this idea, but also does point out that password database breaches are relatively common; it suggests various methods of avoiding this problem.

As I implied, if not stated, I recommend that the requirement for changing passwords every 180 days be removed, with more effort being put into securing the password database instead.

gduffner · November 10, 2025, 1:56pm

OMG! Please, Clarivate, don’t do this. Whatever issue you’re trying to mitigate by this move, please try to do it properly and not in a way that makes using this product even more cumbersome. Or at least, try another workaround. Password security issues provenly aren’t resolved by requiring a new one periodically.

gduffner · November 10, 2025, 2:02pm

(Naughty people, however, would argue that this is another measure to move people away from EndNote).

eimeria13 · November 12, 2025, 4:34pm

This new policy change does not align with NIST guidance at all. As noted, it may make things less secure. I contacted support to provide feedback but the response was really a non-response. It didn’t address my concerns at all.

leanne · November 12, 2025, 5:21pm

Totally agree that there is no need to “protect” my database with a new password regularly. I also complained to support just to make me feel better. So glad I am nearing retirement!

RobTJU · December 5, 2025, 9:09pm

IF they make this change I will be making a change… of reference managers.

Topic		Replies	Views
Saving Usernames/Passwords for online databases EndNote How To	0	236	September 30, 2009
Password Protection of an EndNote Library EndNote How To	2	1158	January 30, 2009
Information in KB for password reset insufficient EndNote Product Suggestions	0	308	January 7, 2019
How to update changed password EndNote How To	6	3068	January 13, 2016
Patched version keeps asking for Endnote Web account on startup EndNote Product Suggestions	4	3154	November 26, 2008

How often should we change passwords?

Related topics