Password changes are often recommended to keep your account safe, with some companies enforcing them every 1 - 3 months. We’ll put this myth to rest and show you why changing your password often doesn’t make it more secure.

Conventional wisdom states that you should change your passwords regularly to keep hackers off-kilter and continuously scrambling to access your data. These password changes are often advised as a way to keep your account safe and your information secure.

Although it may sound reasonable, it’s not as accurate as people would like to believe. The truth is that changing your password regularly makes you more vulnerable to data breaches and hackers, than choosing a strong password in the beginning and leaving it alone.

Forced password changes

Even though it’s your password, some companies have policies in place that require you to change it every 30, 60, or 90 days. They operate under the assumption that changing passwords frequently will keep their data secure. If your password is changed regularly, it ensures that anyone who has unauthorized access to your account can’t maintain it for very long.

Unfortunately, enforcing frequent password changes for security reasons can backfire. These password changes can pop up at the worst possible moment: when you’re clocking in or out for the day, trying to access your weekly timecard, or just trying to get into your email. Pressed for time and facing an account lockout, people tend to fall into a predictable pattern for creating a new password. The passwords chosen are simplistic, incredibly easy to remember, and often go up in sequential order, because they only change the number or special character that’s tacked on the end.

These simple and predictable password patterns are easy to hack, leaving your data far more vulnerable and insecure than it would be if you generated a strong password once and stored it securely in a password manager.

When you should change your password?

Now, this doesn’t mean you can avoid changing passwords ever again. There are key times when you should change a password.

They include:

• After a service discloses a security incident.
• There is evidence of unauthorized access to your account.
• There is evidence of malware or other compromise of your device.
• You shared access to an account with someone else and they no longer use the login.
• You logged in to the account on a shared or public computer (such as at a library or hotel).
• It’s been a year or more since you last changed the password, especially if you don’t have multi-factor authentication enabled.
  

In all these cases, updating your password is a smart precautionary step. A new password ensures that someone can’t abuse your account even if they have the old password.

How you should approach password changes

Use the above recommendations as a guideline for approaching password updates going forward. To save you time and help you be smart about making password changes, we also recommend the following:

• Put every password in a password manager. It’s much harder to know when it’s time to update a password when you have no idea how many accounts you have. You should collect all of your accounts in one safe place. A password manager stores all your passwords in a vault, where they’re organized and encrypted for safekeeping.


• Audit your passwords. Let’s say you do have all your passwords collected in a vault. Great! But view just how many logins you have stored and find out which ones need a new password.


• First change weak, reused, and compromised passwords. Prioritize updating weak, reused, and compromised passwords.


• Prioritize sensitive accounts next. Once you’ve eliminated all weak and duplicated passwords, be sure to update your most important passwords, too. Those may be passwords for banking, investments, email, social media, medical records, and taxes. Credentials for Amazon, Netflix, Hulu, and similar streaming and shopping services are also hot commodities on the dark web, so be sure those are strong, too.


• Turn on multi-factor authentication where you can. We’ve said it before, and we’ll say it again. Multi-factor authentication is one of the best ways to slow down or prevent an attack, even when someone steals your password. Be sure to turn it on everywhere you can.


• Set aside time every year to update old passwords. Once you’ve completed the above, don’t go overboard updating your passwords frequently. Unless you know yourself to be a target, the above steps should be enough to protect your accounts. Just set a note in your calendar to audit your password manager vault at least once a year. Block time to update the passwords.
  

At the end of the day, our advice is to set up a good password system, aided by a password manager. Once you are organized and have done the initial work to clean up your password security, it’s much easier to maintain that strong security going forward.