Advice Request Should You Change Your Passwords Regularly?

Please provide comments and solutions that are helpful to the author of this topic.

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
“Change your passwords regularly” is a common piece of password advice, but it isn’t necessarily good advice. You shouldn’t bother changing most passwords regularly — it encourages you to use weaker passwords and wastes your time.

Yes, there are some situations where you’ll want to regularly change your passwords. But those will probably be the exception rather than the rule. Telling typical computer users they need to regularly change their passwords is a mistake.

The Theory of Regular Password Changes

Regular password changes are theoretically a good idea because they ensure someone can’t acquire your password and use it to snoop on you over an extended period of time.

For example, if someone acquired your email password, they could log into your email account regularly and monitor your communications. If someone acquired your online banking password, they could snoop on your transactions or come back in several months and attempt to transfer money to their own accounts. If someone acquired your Facebook password, they could log in as you and monitor your private communications.

Theoretically, changing your passwords regularly — perhaps every few months — will help prevent this from happening. Even if someone did acquire your password, they’d only have a few months to use their access for nefarious purposes.

The Downsides

Password changes shouldn’t be considered in a vacuum. If human beings had infinite time and perfect memory, regular password changes would be a fine idea. In reality, changing passwords imposes a burden on people.

Changing your password regularly makes it harder to remember good passwords. Rather than create a strong password and commit it to memory, you must attempt to remember a new password every few months. Users who are forced to regularly change their password by a computer system may end up appending a number — so they may use password1, password2, and so on.

It’s hard enough to change your password regularly for a single account and remember your new password each time. But we all have many passwords — imagine having to change your password regularly and constantly remember unique, strong passwords for a large number of services.

It’s already basically impossible to choose strong, unique passwords for every website and remember them — that’s why we recommend using a password manager like LastPass or KeePass. If you change your password every few months, you’ll likely end up using weaker passwords and reusing them across multiple websites. It’s much more important to use strong, unique passwords everywhere than to change your password regularly.

Why Changing Passwords Won’t Necessarily Help

Regularly changing your password won’t help as much as you might think. If an attacker gains access to your accounts, they’ll most likely use their access to cause damage right away. If they gain access to your online banking account, they’ll log in and attempt to transfer money out rather than sit and wait. If they gain access to an online shopping account, they’ll log in and attempt to order products with your saved credit card information. If they gain access to your email, they’ll likely use it for spam and phishing, or attempt to reset passwords on other sites with it. if they gain access to your Facebook account, they’ll probably attempt to spam or defraud your friends immediately.

Typical attackers won’t hold onto your passwords for an extended period of time and snoop on you. That’s not profitable — and attackers are just after profit. You’ll notice if someone gains access to your accounts.

Changing your password regularly is also essential if you use the same password everywhere, because it’s likely your password is constantly being leaked when one of the services you use is compromised. Rather than change that single password regularly, you should deal with the real problem here and use unique passwords everywhere.

When You Do Want to Change Passwords

Changing passwords can help if someone who isn’t a traditional attacker has access to your account. For example, let’s say you shared your Netflix login credentials with an ex — you’ll want to change your password so they can’t use your account forever. Or, let’s say someone close to you gained access to your email or Facebook password and used your password to spy on you. When you change your passwords, you’re primarily preventing this sort of account sharing and snooping, not preventing someone on the other side of the world from gaining access.

Regular password changes can also be valuable for some work systems, but they should be used with thought. IT administrators shouldn’t force users to change their passwords constantly unless there’s a good reason — users will just start using weak passwords, writing down passwords, or even switching back and forth between two favorite passwords.

Password changes in response to specific events are a good thing, of course. It’s a good idea to change your passwords on websites that were vulnerable to Heartbleed but have now patched it. Changing your password after a website has its passwords database stolen is also a good idea.

If you are reusing passwords for different websites, changing your password on all those sites is a good idea if one of those sites is compromised. But this is the worst thing you can do — the real solution here is using unique passwords, not constantly changing your shared password to a new one on all the services you use.

Focus on Useful Advice

The problem with advising people to change their password regularly is that it’s such distracting advice. Using strong, unique passwords everywhere is already almost impossible advice to do if you’re not using a password manager to remember them for you. Two-factor authentication is also helpful as it can prevent your accounts from being accessed even if someone steals your passwords. Rather than tell people to regularly change their passwords, we should be passing on useful advice like “use unique passwords everywhere” — something most people don’t presently do.

This isn’t the only piece of advice we disagree with. For most home users, writing down some passwords is actually not a bad idea — it’s definitely better than reusing the same password everywhere.

We’re not the only ones advising against regular, indiscriminate password changes. Security expert Bruce Schneier has written about why changing passwords regularly isn’t good advice, while Microsoft Research has also concluded that changing passwords regularly is a waste of time. Yes, there are some situations where you may want to do this — but passing on advice like “change your passwords every three months” to typical computer users is doing more harm than good.
Read the full article here at How-To Geek:
 
F

ForgottenSeer 85179

I change my passwords mostly yearly with KeePass as this will reduce the possibility of a (unknown) leak.
Nothing more as i use 2FA anyway.

Some sites also improve their password policy so better passwords can be used.
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
Last year I updated every single password I ever had and upgraded accounts to 2fa. It took 2 days. I think if each password is unique there's no need to because even if there is a breach it's limited to one account.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
I have not changed some important passwords for years, since many services report, if someone tries to access it via a bad password. Then again, not all password breaches are reported, so it might be prudent to change them, but never all at once, you might mess up and loose access to everything.

I login via FB/Google whenever possible and it is funny to see failed attempts because of a bad password, since there is no password at all. :LOL:

On top of that, ~50% phishing is done by forcing an user to change his password ASAP and they succeed using a fake webpage, malware or MITM.
So if you receive a security alert demanding you to do it, make sure the computer is clean and you visit the webpages directly, not by clicking on a link.
Do password forms allow [Space] at the beginning of a new password?
Some do, but it can cause issues when implemented incorrectly (like not accepting it afterwards), basically they avoid it because of issues in the past.
 

Marana

Level 1
Verified
Jan 21, 2018
43
As a general rule I agree here with NIST SP 800-63B section 5.1.1.2 ("Memorized Secret Verifiers"):
  • "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
 

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
Every site etc I sign in with has a strong unique password which I rarely change unless I have reason - I do change email passwords every few months though - I don't use a password manager as such but small text files using WinRar & a strong password - I've used this system for some time and works well, easy to add to change or delete, not reliant on any other program but Winrar etc
 
F

ForgottenSeer 85179

Every site etc I sign in with has a strong unique password which I rarely change unless I have reason - I do change email passwords every few months though - I don't use a password manager as such but small text files using WinRar & a strong password - I've used this system for some time and works well, easy to add to change or delete, not reliant on any other program but Winrar etc
The advantage with password manager against normal text file in a (encrypted) archive is the protection against database cracking. WinRAR don't do that.

Also a password manager can be integrated into the system for even more security and comfort, like a KeePass plugin with adds compatibility with Windows Hello.
 

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
I've tried most password managers & prefer my system, I do respect your views, but overall I feel a Winrar archive is pretty safe & if someone were to get in my PC & crack it that would be the least of my troubles, assuming an alternative is safer & I'm not convinced it is - I don't know anyone else that uses rarred text files so it's probably a bit of an unknown? The system works really well for me & has for maybe 15 years I'm not sure :cool::cool::cool:
 

kC77

Level 5
Verified
Well-known
Aug 16, 2021
230
I dont really change any now, every service/site i have is a totally random password even i dont know and uses 2fa/yubi where possible

if you use keepass there is a nice plugin where you can check all your passwords against the list offline (this works as my keepass.exe is blocked outbound)
you need to download the list from
and the plugin from keepass plugins page (hibpoffline)

can scan all your passwords and adds the flag secure or pwned in your database.
I do run a scan from time to time just in case one of my entries gets pwned, and i would then maybe change it (but not so much of a rush if only 1 site, and its this reason you should never share the same password for multiple sites/services)

only thing about the HIBP offline database.. the guy who did the database upload made a mistake last time and ended up with a huge azure bandwidth bill, so he may not be so keen to update it! (last update dec 2021)
 
  • Like
Reactions: Nevi
F

ForgottenSeer 94654

Changing passwords on a reasonably regular basis - say every 90 days - is a basic security practice, whether or not you use biometrics of 2FA. Not changing passwords - no matter how many you have - is laziness. Plain and simple.
 
  • HaHa
Reactions: kC77

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
I'm the one in the family helping others (and friends too) setup and maintain their computer. The main issue I had: most of them didn't remember their passwords. So it was a chore to set up a new device. I had them buy a small notebook. Most of their passwords have 8 digits, and some are used 4-5 times. I tell them it is important to have unique and longer passwords for financial apps. And important stuff. Since I'm the one setting up their devices, I'm not afraid to use 2FA for their phones or tablets.

I use Keepass as a bank for passwords on my PC and Bitwarden to sync my passwords on all my devices. I create unique passwords and don't change them very often. Last week, I decided to enhance my Google password on all my devices. Easy on most devices, but not on my Chromebook: it took me nearly one hour to have it function properly. So, no, I don't change my passwords regularly. With 2FA and an authenticator app, I don't see the need.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top