You’ve probably heard that it’s best practice to change your passwords every three months to safeguard your accounts. But the fact is, there aren’t benefits to doing so, and it might even be counterproductive. The National Institute of Standards and Technology (NIST) no longer recommends regular password changes.
Let’s go through why you shouldn’t change your passwords regularly, and the scenarios for when you should update your passwords.
Why you shouldn’t change your passwords regularly
Contrary to traditional belief, you don’t need to change your passwords regularly, especially if you are already using a strong, unique password for each account.
1. You don’t gain anything by changing your passwords
If your password is not compromised, or if it’s already strong (long, complex, and random), you don’t benefit by selecting another strong, unique password. Your original password is just as hard to crack as a new one.
2. Frequent password changes mean weaker passwords
If you are relying on your memory for keeping track of passwords, the need to create a new memorable password often results in picking similar passwords—either repeated from other accounts or one that follows a pattern (e.g., increasing the number at the end by one each time). Reusing passwords or using variations of a password is risky, as your passwords become easy to guess if one of them is revealed.
The bottom line is it’s better to use a strong, unique password for each account and never change them, rather than weak passwords that are frequently changed.
That’s why it’s a good idea to use a password manager, which stores all your complex passwords securely. You only have to remember one primary password rather than a whole collection of passwords. In fact, the advent of password managers has made it more feasible to create unique, strong passwords for all your accounts—making the old advice about password changes obsolete.
But there are some cases when you should change your password. Let’s go over some possible scenarios.
When should you change your passwords?
After a data breach
A data breach is a cyberattack in which hackers gain access to a computer network to steal personal data or confidential information. If you have been affected by a data breach, assume your username and password have been compromised, at the very least. The attackers might try credential stuffing, the use of automated bots to try the same combination on other sites.
You should change the password on the breached account immediately, as well as any similar passwords you use on other accounts.
After an unauthorized access to your account
Did you just get informed of suspicious activity on your account? First and foremost, be sure it’s not a phishing scam, which lures victims into logging in to a fake website by saying something along those lines and steals their credentials.
If you believe someone other than yourself did try to access your account or indeed successfully logged in, change your password immediately. This will log out any active sessions and protect you in case they do have your password. The worst case is if they have already changed your password.
Using two-factor authentication would make it much harder for someone to break into your account even if they know your password.
After using a public network
Public Wi-Fi networks are often unsecured. Other users on the network can see what you see and send, accessing your personal information like passwords and bank details. If you’ve used a public network to sign in somewhere, especially your bank accounts, you might want to change your password afterward.
That said, a VPN is an easy way to secure your connection on unsecured networks.
If you haven’t signed in to the account for a while
If you haven’t signed in to an account for a while, chances are it is using the same password you created for it when you first signed up. There’s nothing wrong with it if it’s already a strong, unique password. But a data breach might have happened without you realizing. Plus, there’s a good chance you’ve lost your password anyway for a dormant account.
If you’re starting to use the account again, a password change makes sense. For any services you won’t use again, consider deleting your account instead.
If you’ve logged in to your accounts on other people’s devices
Did you log in to your Netflix account on a friend’s device last week? If you’ve signed in to your accounts on someone else’s devices, it’s best to change your password as soon as possible, even if you’ve already signed out on their devices. You should also change your passwords if you have shared your account passwords with an ex in the past.
4 best password practices
- Use strong passwords. This means ones that are long, complex, and random. Our password generator can create one for you.
- Use a password manager. A password manager can securely store all your passwords, whatever the length or complexity. You only have to remember one primary password.
- Use two-factor authentication wherever possible. Even if someone finds out your login details, then won’t be able to break into your account without access to your phone or email (depending on your 2FA method).
- Don’t reuse passwords. Every account you own should have its own unique password.