Once upon a time, it seemed like a good idea to regularly change your passwords.
The logic was that over weeks or months, someone might look over your shoulder, or see it written on a post-it note on your monitor, or somehow figure out your password, and that you could confound these scoundrels by regularly changing it – even if it was ‘just in case’.
But it turns out that regularly changing your password is a terrible idea, at least if the only reason for it is that some months have passed. When people, at least those without password managers, have to change passwords often, they tend to choose easier passwords or write them down more frequently (again, if there’s no password manager used) even leaving them on post-its right on the monitor. This might put their accounts even more at risk.
In general, changing passwords regularly adds very little or no security, since adding a new password when the old one wasn’t compromised doesn’t necessarily make you more secure.
Unfortunately, there are still companies and accounts that force time-regulated password changes. Some notions die slowly.
So *do not* make it a habit to regularly change your passwords. Instead, as we’ve outlined in other posts do these three things:
- Use long, strong, unique passwords
- Use a password manager,
- Use two-factor authentication when possible to double-lock your accounts.
Only change your password:
When your password was in a data breach (Part I)
If the data from one of your accounts is stolen and shared publicly—as in, via a data breach—you should immediately change your password on that account. While you’re likely to learn about these via the news or, if a service/company has emailed you telling you accounts may have been compromised, it’s a good habit to check haveibeenpwned.com (HIBP) once in a while to make sure your accounts aren’t compromised.
If they are, reset your password.
When your password was in a data breach (Part II)
When one of your passwords is leaked in a data breach, if you have reused it that same password on any other accounts, reset the password on every account that used it. Hackers will use password and email combinations on other accounts knowing how frequent password use is. Changing your password removes the risk of your account being compromised.
When your password is too weak for the account
Your most important accounts – email, banks, social media, cloud storage, etc. – need really strong passwords. If you ever realize that an account could be used could embarrass you, steal from you, or control important information about you, you should immediately change that password to make it longer and stronger.
On other accounts, which hold less valuable data or have less inherent risk, they may not require as strong a password but you should never use super common, super short, or super easy to guess passwords. If your password is ‘password’ or ‘tarheals’ or anything that simple, it’s time to strengthen it.
When you’ve shared a password
If you’ve shared a password with a loved one, friend, or co-worker and no longer trust them or are in contact with them, it’s time to change that password. There’s no need to take the risk of someone you’re no longer in contact with having access to one of your accounts.
If there’s suspicious activity on your account
Many accounts – like Apple or Dropbox or LinkedIn – can show you all the dates and locations and devices that have recently logged into your account. If you ever see suspicious records in these lists, change your password.
Similarly, if you have 2FA on an account and randomly get a code texted to you to login, it’s a sign that someone’s attempted to get into your account and knows your password. Change your password immediately.
High Value Password Rotation
While we said above that time is not the best driver of password changes, there is one exception we’d make. For you high value accounts where you do not (or cannot) use two-factor authentication, changing your password as some regular interval – perhaps annually – is not an entirely bad idea.
The logic is this; password breaches happen, and even the biggest companies can have their systems hacked and passwords stolen. Often these thefts go undetected, and unreported, for months or years. And often those passwords do not circulate for months or years. So at any given moment, your bank or social account has been breached but you may never know. By making an occasional password change, you protect yourself against any unreported breach that occured before the day of your change.
Assuming you use a password manager on these high value accounts, this type of password change will not fall victim to the old risks; you won’t choose an unsafe new password and there is no hassle at all in using the new one (since the PW Manager enters it for you.). So there is just the relatively small time and energy of making the change. Not a bad price to pay for peace of mind.
If you have 2FA on any account, especially if you’ve disabled SMS and have an authenticator app or FIDO/security key, this small risk of unreported breach is less of a concern. If that’s the case, we probably wouldn’t bother making a password change ever, unless one of the other risk conditions occurs.
Password Manager Audits
Password managers such as Dashlane and 1Password have additional features that let you know whether one of your passwords are at risk. 1Password has Watchtower, which integrates with HIBP to alert you if an account has been part of a data breach. The tool will also let you know if a password is a duplicate or if an account offers 2FA. Dashlane, on the other hand has a data breach alert service and lets you easily update any weak or reused passwords with one click.
Remember, passwords are often good enough as long as you follow some basic guidelines. Once you set them, you don’t need to change them unless one of the above scenarios apply. To make it all easy for you, we recommend using a password manager.