Q&A Should You Change Your Passwords Regularly?


Level 50
Content Creator
Apr 24, 2016
“Change your passwords regularly” is a common piece of password advice, but it isn’t necessarily good advice. You shouldn’t bother changing most passwords regularly — it encourages you to use weaker passwords and wastes your time.

Yes, there are some situations where you’ll want to regularly change your passwords. But those will probably be the exception rather than the rule. Telling typical computer users they need to regularly change their passwords is a mistake.

The Theory of Regular Password Changes

Regular password changes are theoretically a good idea because they ensure someone can’t acquire your password and use it to snoop on you over an extended period of time.

For example, if someone acquired your email password, they could log into your email account regularly and monitor your communications. If someone acquired your online banking password, they could snoop on your transactions or come back in several months and attempt to transfer money to their own accounts. If someone acquired your Facebook password, they could log in as you and monitor your private communications.

Theoretically, changing your passwords regularly — perhaps every few months — will help prevent this from happening. Even if someone did acquire your password, they’d only have a few months to use their access for nefarious purposes.

The Downsides

Password changes shouldn’t be considered in a vacuum. If human beings had infinite time and perfect memory, regular password changes would be a fine idea. In reality, changing passwords imposes a burden on people.

Changing your password regularly makes it harder to remember good passwords. Rather than create a strong password and commit it to memory, you must attempt to remember a new password every few months. Users who are forced to regularly change their password by a computer system may end up appending a number — so they may use password1, password2, and so on.

It’s hard enough to change your password regularly for a single account and remember your new password each time. But we all have many passwords — imagine having to change your password regularly and constantly remember unique, strong passwords for a large number of services.

It’s already basically impossible to choose strong, unique passwords for every website and remember them — that’s why we recommend using a password manager like LastPass or KeePass. If you change your password every few months, you’ll likely end up using weaker passwords and reusing them across multiple websites. It’s much more important to use strong, unique passwords everywhere than to change your password regularly.

Why Changing Passwords Won’t Necessarily Help

Regularly changing your password won’t help as much as you might think. If an attacker gains access to your accounts, they’ll most likely use their access to cause damage right away. If they gain access to your online banking account, they’ll log in and attempt to transfer money out rather than sit and wait. If they gain access to an online shopping account, they’ll log in and attempt to order products with your saved credit card information. If they gain access to your email, they’ll likely use it for spam and phishing, or attempt to reset passwords on other sites with it. if they gain access to your Facebook account, they’ll probably attempt to spam or defraud your friends immediately.

Typical attackers won’t hold onto your passwords for an extended period of time and snoop on you. That’s not profitable — and attackers are just after profit. You’ll notice if someone gains access to your accounts.

Changing your password regularly is also essential if you use the same password everywhere, because it’s likely your password is constantly being leaked when one of the services you use is compromised. Rather than change that single password regularly, you should deal with the real problem here and use unique passwords everywhere.

When You Do Want to Change Passwords

Changing passwords can help if someone who isn’t a traditional attacker has access to your account. For example, let’s say you shared your Netflix login credentials with an ex — you’ll want to change your password so they can’t use your account forever. Or, let’s say someone close to you gained access to your email or Facebook password and used your password to spy on you. When you change your passwords, you’re primarily preventing this sort of account sharing and snooping, not preventing someone on the other side of the world from gaining access.

Regular password changes can also be valuable for some work systems, but they should be used with thought. IT administrators shouldn’t force users to change their passwords constantly unless there’s a good reason — users will just start using weak passwords, writing down passwords, or even switching back and forth between two favorite passwords.

Password changes in response to specific events are a good thing, of course. It’s a good idea to change your passwords on websites that were vulnerable to Heartbleed but have now patched it. Changing your password after a website has its passwords database stolen is also a good idea.

If you are reusing passwords for different websites, changing your password on all those sites is a good idea if one of those sites is compromised. But this is the worst thing you can do — the real solution here is using unique passwords, not constantly changing your shared password to a new one on all the services you use.

Focus on Useful Advice

The problem with advising people to change their password regularly is that it’s such distracting advice. Using strong, unique passwords everywhere is already almost impossible advice to do if you’re not using a password manager to remember them for you. Two-factor authentication is also helpful as it can prevent your accounts from being accessed even if someone steals your passwords. Rather than tell people to regularly change their passwords, we should be passing on useful advice like “use unique passwords everywhere” — something most people don’t presently do.

This isn’t the only piece of advice we disagree with. For most home users, writing down some passwords is actually not a bad idea — it’s definitely better than reusing the same password everywhere.

We’re not the only ones advising against regular, indiscriminate password changes. Security expert Bruce Schneier has written about why changing passwords regularly isn’t good advice, while Microsoft Research has also concluded that changing passwords regularly is a waste of time. Yes, there are some situations where you may want to do this — but passing on advice like “change your passwords every three months” to typical computer users is doing more harm than good.
Read the full article here at How-To Geek:


Level 31
Content Creator
May 13, 2017
I have not changed some important passwords for years, since many services report, if someone tries to access it via a bad password. Then again, not all password breaches are reported, so it might be prudent to change them, but never all at once, you might mess up and loose access to everything.

I login via FB/Google whenever possible and it is funny to see failed attempts because of a bad password, since there is no password at all. :LOL:

On top of that, ~50% phishing is done by forcing an user to change his password ASAP and they succeed using a fake webpage, malware or MITM.
So if you receive a security alert demanding you to do it, make sure the computer is clean and you visit the webpages directly, not by clicking on a link.
Do password forms allow [Space] at the beginning of a new password?
Some do, but it can cause issues when implemented incorrectly (like not accepting it afterwards), basically they avoid it because of issues in the past.


Level 1
Jan 21, 2018
As a general rule I agree here with NIST SP 800-63B section ("Memorized Secret Verifiers"):
  • "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."


Level 26
Aug 4, 2016
Every site etc I sign in with has a strong unique password which I rarely change unless I have reason - I do change email passwords every few months though - I don't use a password manager as such but small text files using WinRar & a strong password - I've used this system for some time and works well, easy to add to change or delete, not reliant on any other program but Winrar etc

ForgottenSeer 85179

Every site etc I sign in with has a strong unique password which I rarely change unless I have reason - I do change email passwords every few months though - I don't use a password manager as such but small text files using WinRar & a strong password - I've used this system for some time and works well, easy to add to change or delete, not reliant on any other program but Winrar etc
The advantage with password manager against normal text file in a (encrypted) archive is the protection against database cracking. WinRAR don't do that.

Also a password manager can be integrated into the system for even more security and comfort, like a KeePass plugin with adds compatibility with Windows Hello.


Level 26
Aug 4, 2016
I've tried most password managers & prefer my system, I do respect your views, but overall I feel a Winrar archive is pretty safe & if someone were to get in my PC & crack it that would be the least of my troubles, assuming an alternative is safer & I'm not convinced it is - I don't know anyone else that uses rarred text files so it's probably a bit of an unknown? The system works really well for me & has for maybe 15 years I'm not sure :cool::cool::cool: