For years, we've been told to change our passwords every 30, 60, or 90 days. IT departments enforced it. Security checklists demanded it. But here's the thing: modern security research shows this advice is not just outdated — it can actually make you less secure.
The Surprising Truth About Password Rotation
In 2017, the National Institute of Standards and Technology (NIST) — the organization that sets cybersecurity standards for the U.S. government — changed its guidelines. They no longer recommend regular password changes. Microsoft, Google, and most security experts have followed suit.
Why the reversal? Because mandatory password rotation has unintended consequences:
- People create weaker passwords: When forced to change frequently, users create simpler passwords they can remember
- Predictable patterns emerge: Users often just increment numbers (Password1 → Password2 → Password3)
- Post-it notes proliferate: Complex, frequently-changed passwords get written down
- Password fatigue sets in: The friction leads to shortcuts that compromise security
The new consensus: A strong, unique password that you don't change is more secure than a weak password that you change frequently.
When You SHOULD Change Your Password
While routine rotation isn't necessary, there are specific situations where changing your password is essential:
- After a data breach involving that service Check haveibeenpwned.com regularly to see if your accounts have been compromised. If a service you use reports a breach, change that password immediately — and any other accounts where you used the same password.
- After someone gained access to your account If you notice unauthorized activity, password reset emails you didn't request, or logins from unfamiliar locations, change your password right away and enable two-factor authentication.
- After sharing your password Even if you trust someone, change the password once they no longer need access. People write things down, devices get compromised, and relationships change.
- After using a public or shared computer If you logged in on a library computer, hotel business center, or a friend's device, change that password. You can't guarantee keyloggers weren't present.
- If the password is weak or reused This is less about timing and more about quality. If you discover an old account using "password123" or using the same password as another site, change it immediately.
- After a relationship or employment ends Change passwords for shared accounts like streaming services, and any accounts a former partner or employee might have known or guessed.
- If your device was lost, stolen, or infected with malware Assume any passwords stored or typed on that device are compromised.
What Actually Matters for Password Security
Instead of changing passwords on a schedule, focus on what genuinely improves security:
1. Use Strong, Unique Passwords
Every account should have its own password with at least 16 characters, mixing uppercase, lowercase, numbers, and symbols. This is impossible to manage without a password manager — which brings us to:
2. Use a Password Manager
A password manager lets you maintain strong, unique passwords for every account without the mental burden. You only need to remember one master password.
3. Enable Two-Factor Authentication (2FA)
Even if someone gets your password, 2FA stops them from accessing your account. Enable it everywhere possible, especially for:
- Email (this is your "master key" for password resets)
- Banking and financial accounts
- Social media
- Cloud storage
- Your password manager
4. Monitor for Breaches
Sign up for alerts at haveibeenpwned.com. Many password managers also include breach monitoring. This reactive approach is more effective than arbitrary password rotation.
5. Be Suspicious of Phishing
Most account compromises happen through phishing, not password cracking. No amount of password changes protects you if you enter your credentials on a fake login page.
Special Cases: When Regular Changes Make Sense
There are a few specific scenarios where periodic password changes are still warranted:
- Highly sensitive accounts: If you manage critical infrastructure, financial systems, or have elevated privileges at work, your organization may have valid reasons for rotation policies
- Shared accounts: If multiple people know a password, regular changes reduce the window of risk from any one person
- Compliance requirements: Some industries (healthcare, finance) have regulations requiring password rotation. Follow your organization's policies even if the general advice has changed
- No 2FA available: If an account doesn't support two-factor authentication, more frequent changes add a (small) layer of protection
Important: If your workplace requires regular password changes, follow that policy. Your IT department may have organization-specific reasons, and violating security policies creates other risks.
How to Check If Your Passwords Have Been Compromised
Instead of changing passwords on a schedule, check if they've actually been exposed:
- Visit haveibeenpwned.com
- Enter your email address
- Review any breaches that include your information
- Change passwords for any breached accounts (and anywhere you reused that password)
- Sign up for notifications about future breaches
Many password managers also check your passwords against known breach databases and alert you to compromised credentials.
A Better Approach: The Security Audit
Instead of changing passwords randomly, do a periodic security audit (quarterly or annually):
- Check for breaches: Run your emails through haveibeenpwned.com
- Review password strength: Use your password manager's audit feature to find weak passwords
- Eliminate reused passwords: Each account should have a unique password
- Verify 2FA is enabled: Check that your most important accounts have two-factor authentication
- Remove unused accounts: Delete old accounts you no longer use
- Update recovery options: Make sure backup emails and phone numbers are current
The Bottom Line
Stop changing your passwords every 90 days just because someone told you to. Instead:
- Create strong, unique passwords for every account
- Use a password manager to keep track of them
- Enable two-factor authentication everywhere
- Change passwords only when there's a specific reason to do so
- Monitor for breaches and respond quickly when they occur
This approach is both easier to maintain and more secure than arbitrary rotation schedules. Security has moved on from the old advice — it's time your password habits did too.