Age of the password is something that is very critical for the security of the passwords and this could also be seen as the time given to the attacker to be successful in cracking the password. . What do you mean by "security of the password"? A password is believed to be secured if the possibilities of it getting cracked is minimal. This could be determined by few factors:
Age of password varies from time to time, based on the:
An attacker who bruteforces to crack a password would have time only until the next change of the password. This means that the password longevity should be fixed in such a way that it gives limited opportunity for the attacker to crack a password, but at the same time should not be frequent enough for the user to forget his/her own password. This is exactly why password longevity is as important as password strength [length, character usage, etc.] and is included in the corporate password change policy for enterprise users.
Password longevity can vary between 30 days to 3 months. This varies from one organization to another. This could be based on the nature of the organization, the server that maintains the accounts, nature of perimeter security, and various other factors. One might wonder if their enterprise considered all the factors (as listed above) before writing the password policy [fixing their password longevity] and this is exactly why we wanted to have a section for password longevity and corporate password policy in general, in Password Analytics.
There are many factors that could be used to calculate the password longevity as described above. Some of them include [and is not limited to]:
Age of password is neither a simple guess work nor a myth. There are articles that discusses entropy and advanced computations of age of passwords, which is a long term research. Corporate policy and enterprise password autentication system implementation should take into all these factors into consideration before fixing a password longevity.