- There’s no set, optimal metric for how often you should change your passwords.
- Most security experts believe that if you have a strong and unique password, you shouldn’t change it unless you believe it’s been compromised.
- Other experts recommend changing passwords several times a year, but this practice is falling out of favor.
- Visit Business Insider’s Tech Reference library for more stories.
No one enjoys working with passwords, but they’re necessary for keeping your accounts secure — at least until something better comes along.
You likely already make sure that your passwords are strong and difficult-to-crack. You might even go the extra step, and never use the same password for more than one account at once.
But there’s another issue to consider: Should you change your passwords on a recurring basis? And if so, how often?
How often you should change your passwords, according to cybersecurity experts
Conventional wisdom holds that you should change your passwords every few months. For years, this was the advice given by security experts, and it’s still easy to find this advice online.
Jo O’Reilly, deputy editor at ProPrivacy.com told Business Insider, “Experts recommend that people should try to update their passwords at least every three months. This ensures that if a password is compromised, the time that a cybercriminal remains inside the hacked account is relatively short.”
That logic seems to make sense, but nowadays, most experts disagree — which is good news for anyone who reels at the thought of changing all their passwords several times a year. In 2017, the National Institute of Standards and Technology (an agency within the Department of Commerce) released Digital Identity Guidelines that changed the password security game.
Dave Hatter, a cyber security consultant at intrust IT, told Business Insider, “Unless you become aware of a password breach, there is no need to change your passwords regularly if each is a strong, unique password. This is even more true if you are using two-factor authentication.”
While not everyone agrees with this strategy, it’s clear that many security experts recommend it. Gabe Turner, Director of Content at Security.org, for example, told Business Insider that users who change their passwords frequently end up taking shortcuts, and inadvertently make their passwords weaker and more easily hackable in the process.
Instead of frequently changing a perfectly good password, you should follow these guidelines:
- Make sure all of your passwords are strong and unique.
- Whenever possible, use some form of two-factor authentication so a cracked password won’t compromise your account. “Combining two-factor authentication with machine-generated passwords renders most user accounts practically uncrackable,” said Tod Beardsley, director of research at Rapid7.
- Use a password manager so you don’t need to memorize or write down your passwords. “Not only will password managers store all of your passwords in an encrypted vault, but they’ll fill them in for you,” said Turner. “Password managers will audit your existing passwords, looking for those that are old, weak or repeated, and will generate new passwords for each of your accounts.”
- If you think one of your accounts has been hacked, change your password immediately.