How Often Should You Change Your Password? 

Person at laptop

When it comes to security, complicated isn’t always better. There are many people out there who want you to believe that strong security means buying lots of expensive software, following complex rules, and conducting endless research on today’s latest threats.  

If you’re a nation state, that may very well be the case. But for average people like you and me, doing the basics well can make all the difference.  

Use strong passwords, store them in a password manager, and turn on multi-factor authentication everywhere you can. These basic steps alone will help most people keep their accounts safe. 

That’s why, when I recently came across this article with more bad security advice, I had to set the record straight. 

The BBB says: Change your passwords every month 

Written by the Better Business Bureau (BBB), the article recommends you change your passwords monthly 

Yes – every 30 days.  

In the article, they go on to list more standard advice: make passwords long, use multi-factor authentication, make security questions random. They even recommend a password manager. Great! I’m not arguing with this advice – everyone should follow these tips. 

But do you really need to change your passwords every month? In my opinion, no, and here’s why. 

Frequent password changes make things worse 

For years, security professionals recommended changing passwords every 30, 60, or 90 days. In offices worldwide, IT policies forced employees to regularly change their password.  

The result? Password security is in a terrible state. Employees have too many passwords to remember. Corporate policies are too strict, so employees write them down, make them as memorable as possible. People skirt the rules, so they can keep doing their jobs with minimal disruption. Whether at work or at home, we tend to display the same bad password behaviors everywhere. 

NIST no longer recommends frequent password changes 

Last year, the National Institute of Standards and Technology (NIST) published new recommendations in their “Digital Identity Guidelines”. The recommendations include decreasing both password complexity and the volume of forced password changes.  

If NIST themselves are recommending against frequent password changes and admit that draconian password measures don’t improve security, then I think we should all consider their advice. Also, if you’re like me and have over 300 accounts to keep track of, changing them every month just isn’t realistic. 

When should you change a password? 

Now, this doesn’t mean you can avoid changing passwords ever again. There are key times when you should change a password. 

They include: 

  • After a service discloses a security incident. 
  • There is evidence of unauthorized access to your account. 
  • There is evidence of malware or other compromise of your device. 
  • You shared access to an account with someone else and they no longer use the login. 
  • You logged in to the account on a shared or public computer (such as at a library or hotel). 
  • It’s been a year or more since you last changed the password, especially if you don’t have multi-factor authentication enabled. 

In all these cases, updating your password is a smart precautionary step. A new password ensures that someone can’t abuse your account even if they have the old password. 

How you should approach password changes 

Use the above recommendations as a guideline for approaching password updates going forward. To save you time and help you be smart about making password changes, I also recommend the following: 

  • Put every password in a password manager. It’s much harder to know when it’s time to update a password when you have no idea how many accounts you have. You should collect all of your accounts in one safe place. A password manager like LastPass stores all your passwords in a vault, where they’re organized and encrypted for safekeeping. 
  • Audit your passwords. Let’s say you do have all your passwords collected in a vault. Great! Now you can use the LastPass Security Challenge to audit them. You’ll see just how many logins you have stored, and even find out which ones need a new password.  
  • First change weak, reused, and compromised passwords. The Security Challenge identifies those passwords that are at greatest risk. Use the results to prioritize updating weak, reused, and compromised passwords. 
  • Prioritize sensitive accounts next. Once you’ve eliminated all weak and duplicated passwords, be sure to update your most important passwords, too. Those may be passwords for banking, investments, email, social media, medical records, and taxes. Credentials for Amazon, Netflix, Hulu, and similar streaming and shopping services are also hot commodities on the dark web, so be sure those are strong, too. 
  • Use the automatic password change feature to speed things up. LastPass can automatically change your password for you on nearly one hundred of the most popular websites. LastPass launches the website and does all the work of changing the password for you in the background, so you can instantly enjoy stronger passwords. 
  • Turn on multi-factor authentication where you can. We’ve said it before and we’ll say it again. Multi-factor authentication is one of the best ways to slow down or prevent an attack, even when someone steals your password. Be sure to turn it on everywhere you can. 
  • Set aside time every year to update old passwords. Once you’ve completed the above, don’t go overboard updating your passwords frequently. Unless you know yourself to be a target, the above steps should be enough to protect your accounts. Just set a note in your calendar to run the Security Challenge at least once a year. Block time to update the passwords now flagged as “old”. 

At the end of the day, my advice is to set up a good password system, aided by a password manager. Once you are organized and have done the initial work to clean up your password security, it’s much easier to maintain that strong security going forward.  

One Comment

  • Tom says:

    I enjoyed reading this article! One thing it doesn’t address, though, is the issue of data breaches. A data breach can occur at any time, and there will not necessarily be any indication of a problem – in fact, the online service that experienced the data breach may not even know about it until much later. Using unique, randomized passwords for each account helps prevent additional accounts from being compromised in the event of a data breach, and using a Password Manager like LastPass is the only way to do that in a sustainable way. Although I agree with the author that changing passwords frequently is not feasible for individuals, I recommend for my institutional clients (which typically have less than 100 accounts) that they change all of their passwords every three months (using LastPass) to minimize the impact of data breaches.