Many enterprise security policies enforce “password aging”, i.e., require that users change their passwords each fixed intervals such as 90 days. The apparent justification is that this improves security. However, the implied security benefit has been little explored, and quantified less. We provide a detailed analysis pursuing the question “What security advantage is delivered by password expiration policies?”. We find that the benefits are far less than expected.