“How often should I change my password?” This question has been around for as long as there have been passwords. Years ago, you may have had 5-10 passwords. Now, you likely have over 100. So, how often should you change your passwords?
Note: This page contains affiliate links. As an Amazon Associate I earn from qualifying purchases. Please see Affiliate Disclosure.
What would happen if someone got one of your passwords?
- They could do immediate damage.
- They could spy on you for weeks, months, or years.
What kind of damage might they do? They might transfer money out of one of your bank accounts, send spam email from your account, or post harmful content to your social media accounts.
What kind of spying might they do? They might monitor your financial activity, or monitor your conversations by email or social media.
How would someone get your password?
- Data breach (it’s stolen from an organization)
- Guess it (try personal details such as names, dates, etc.)
- Observe it (watch you enter it, see it written)
- Trick you (phishing, etc.)
- You share it (with family or friends)
How to Increase Your Security
You’ve probably heard that you should regularly change your passwords, in case someone gets a hold of them. The idea is that if someone is using one of your passwords, and you change it, that will cut off their access.
This has led many organizations to require people to change their passwords on a schedule, such as every 30, 60, or 90 days. Unfortunately, this has led to poor password practices:
- Creating weak passwords
- Using the same password for multiple accounts
- Using predictable passwords
As data breaches have become more common, these issues have become more serious. So, in recent years, industry experts have reversed the advice to regularly change passwords.
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.NIST Special Publication 800-63B, Digital Identity Guidelines 220.127.116.11 (nist.gov)
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.Microsoft (microsoft.com)
… the greatest risk to your password is no longer cracking, but password harvesting. Cyber criminals infect your computer with keystroke loggers, data harvesting via phishing websites, people sharing or reusing passwords, social engineering attacks over the phone, SMS texting, or a number of other methods. Basically, since the threat model has changed, if your password is compromised, it will almost certainly be collected in seconds, not months. And when the bad guy gets your password, they are not going to wait the required ’90 days’, they are going to leverage it within hours. So by the time you get around to changing your passwords the bad guys are long gone. Regular password changing only makes you feel more secure. It does not do anything to actually secure you.SANS Institute (sans.org)
Forcing password expiry carries no real benefits because:National Cyber Security Centre [UK] (ncsc.gov.uk)
• the user is likely to choose new passwords that are only minor variations of the old
• stolen passwords are generally exploited immediately
• resetting the password gives you no information about whether a compromise has occurred
• an attacker with access to the account will probably also receive the request to reset the password
• if compromised via insecure storage, the attacker will be able to find the new password in the same place
As mentioned, it’s more likely that someone who gets your password will do immediate damage than secretly spy on you. And if they try to do immediate damage, you’ll likely notice and be able to respond. So, it’s not necessary to regularly change your passwords.
Now, changing your passwords doesn’t hurt (other than the time you spend), but it does little to increase security.
However, this doesn’t mean that you never need to change another password in your life. Let’s look at several situations in which you should change your password.
After a Data Breach
When you’re informed that your data was part of a data breach, change your password immediately.
If you used that same password for any other accounts, change those immediately, too. When hackers get breached passwords, they try them all over the Internet, just to see what else they’ll unlock. This is called credential-stuffing. So, make sure that you use unique passwords for all accounts.
The password manager LastPass automatically informs you when your email address has been exposed in a data breach, and which breach it was. That way, you know which password you should change.
After Being Hacked
When one of your accounts is hacked, such as an email account or social media account, change your password immediately.
When one of your devices (computer, phone, tablet, etc.) is hacked, or gets malware, change the password of the device, and of any accounts that were accessible from that device.
After Fraud or Theft
When you’re the victim of fraud or theft that’s performed digitally, change the password of the financial institution.
Also, in the case of a fraudulent purchase, change the password of any accounts with the merchant (seller) that sold the items. For example, if the fraudulent purchases were from Amazon, change the password of your Amazon account.
To Change a Default Password
Unfortunately, many devices come with default passwords, such as wireless routers and smart devices, aka Internet of Things (IoT) devices. These often have a password printed on the device or in the paperwork that came with the device. These passwords are readily available online, so hackers can easily use them.
When you have a device (or software) that comes with a default password, change the password immediately.
After a Password is Sent via an Insecure Channel
There are secure ways to send passwords, and insecure ways. If a password is sent over an insecure channel, such as SMS/text or email, or over public Wi-Fi to an insecure website (HTTP rather than HTTPS), that password could be captured.
Maybe you never send a password over an insecure channel, but you may receive a password over an insecure channel. For example, when I create a new account, occasionally the company emails me my password. This is infuriating because it’s insecure.
When a password is sent by you or to you over an insecure channel, change your password as soon as possible in a secure way, using your own device on a trusted network.
After Entering the Password on a Public Device
You never know what malware or hardware keyloggers may be running on a public device, such as a computer or tablet at an airport, library, or Internet café. So, you can’t trust them, and should avoid them whenever possible.
If you’re ever required to enter a password on such an untrusted device, change your password as soon as possible in a secure way, using your own device on a trusted network.
To Change a Weak Password
When you realize that one of your passwords is weak, change the password immediately.
To Stop Sharing an Account
When you want to stop sharing an account with family or friends, change the password.
How to Change Passwords
When you create a new password, make sure it’s a strong password (long, complex, and random).
I mentioned earlier that you should change passwords using your own device on a trusted network.
Some accounts give you the option to log out all other devices and users who are logged into the account. You should do this to immediately block access to your account. Otherwise, someone may be able to access your account for some time even after you change the password.
When you change a password, also change your security questions, PIN(s), and any other details that a person could use to gain access to your account. See if your account offers any additional forms of security that you can activate, such as two-factor authentication.
How are you going to create and remember all these passwords? A secure and convenient tool is the password manager. I recommend LastPass.
LastPass has a Security Challenge tool that analyzes your passwords and tells you which ones are weak. It can even automatically change some of them for you.
- Time for Password Expiration to Die (sans.org)
- How Strong Is Your Password? Learn Password Security (defendingdigital.com)
What You Should Do
- Don’t think that you need to change all your passwords regularly, though doing so doesn’t hurt.
- Change a password if any of the following occurs:
- You’re a victim of a data breach
- You get hacked
- You’re a victim of fraud or theft
- You set up a device that has a default password
- Your password is sent over an insecure channel
- You enter a password on a public device
- Your password is weak
- You want to stop sharing an account
- Use a password manager to make it easier to change and save passwords. I recommend LastPass.