“Change your passwords regularly” is a common piece of password advice, but it isn’t necessarily good advice. You shouldn’t bother changing most passwords regularly — it encourages you to use weaker passwords and wastes your time.
Yes, there are some situations where you’ll want to regularly change your passwords. But those will probably be the exception rather than the rule. Telling typical computer users they need to regularly change their passwords is a mistake.
The Theory of Regular Password Changes
Regular password changes are theoretically a good idea because they ensure someone can’t acquire your password and use it to snoop on you over an extended period of time.
For example, if someone acquired your email password, they could log into your email account regularly and monitor your communications. If someone acquired your online banking password, they could snoop on your transactions or come back in several months and attempt to transfer money to their own accounts. If someone acquired your Facebook password, they could log in as you and monitor your private communications.
Theoretically, changing your passwords regularly — perhaps every few months — will help prevent this from happening. Even if someone did acquire your password, they’d only have a few months to use their access for nefarious purposes.
Password changes shouldn’t be considered in a vacuum. If human beings had infinite time and perfect memory, regular password changes would be a fine idea. In reality, changing passwords imposes a burden on people.
Changing your password regularly makes it harder to remember good passwords. Rather than create a strong password and commit it to memory, you must attempt to remember a new password every few months. Users who are forced to regularly change their password by a computer system may end up appending a number — so they may use password1, password2, and so on.
It’s hard enough to change your password regularly for a single account and remember your new password each time. But we all have many passwords — imagine having to change your password regularly and constantly remember unique, strong passwords for a large number of services.
It’s already basically impossible to choose strong, unique passwords for every website and remember them — that’s why we recommend using a password manager like LastPass or KeePass. If you change your password every few months, you’ll likely end up using weaker passwords and reusing them across multiple websites. It’s much more important to use strong, unique passwords everywhere than to change your password regularly.
Why Changing Passwords Won’t Necessarily Help
Regularly changing your password won’t help as much as you might think. If an attacker gains access to your accounts, they’ll most likely use their access to cause damage right away. If they gain access to your online banking account, they’ll log in and attempt to transfer money out rather than sit and wait. If they gain access to an online shopping account, they’ll log in and attempt to order products with your saved credit card information. If they gain access to your email, they’ll likely use it for spam and phishing, or attempt to reset passwords on other sites with it. if they gain access to your Facebook account, they’ll probably attempt to spam or defraud your friends immediately.
Typical attackers won’t hold onto your passwords for an extended period of time and snoop on you. That’s not profitable — and attackers are just after profit. You’ll notice if someone gains access to your accounts.
Changing your password regularly is also essential if you use the same password everywhere, because it’s likely your password is constantly being leaked when one of the services you use is compromised. Rather than change that single password regularly, you should deal with the real problem here and use unique passwords everywhere.
When You Do Want to Change Passwords
Changing passwords can help if someone who isn’t a traditional attacker has access to your account. For example, let’s say you shared your Netflix login credentials with an ex — you’ll want to change your password so they can’t use your account forever. Or, let’s say someone close to you gained access to your email or Facebook password and used your password to spy on you. When you change your passwords, you’re primarily preventing this sort of account sharing and snooping, not preventing someone on the other side of the world from gaining access.
Regular password changes can also be valuable for some work systems, but they should be used with thought. IT administrators shouldn’t force users to change their passwords constantly unless there’s a good reason — users will just start using weak passwords, writing down passwords, or even switching back and forth between two favorite passwords.
Password changes in response to specific events are a good thing, of course. It’s a good idea to change your passwords on websites that were vulnerable to Heartbleed but have now patched it. Changing your password after a website has its passwords database stolen is also a good idea.
If you are reusing passwords for different websites, changing your password on all those sites is a good idea if one of those sites is compromised. But this is the worst thing you can do — the real solution here is using unique passwords, not constantly changing your shared password to a new one on all the services you use.
Focus on Useful Advice
The problem with advising people to change their password regularly is that it’s such distracting advice. Using strong, unique passwords everywhere is already almost impossible advice to do if you’re not using a password manager to remember them for you. Two-factor authentication is also helpful as it can prevent your accounts from being accessed even if someone steals your passwords. Rather than tell people to regularly change their passwords, we should be passing on useful advice like “use unique passwords everywhere” — something most people don’t presently do.
This isn’t the only piece of advice we disagree with. For most home users, writing down some passwords is actually not a bad idea — it’s definitely better than reusing the same password everywhere.
We’re not the only ones advising against regular, indiscriminate password changes. Security expert Bruce Schneier has written about why changing passwords regularly isn’t good advice, while Microsoft Research has also concluded that changing passwords regularly is a waste of time. Yes, there are some situations where you may want to do this — but passing on advice like “change your passwords every three months” to typical computer users is doing more harm than good.