You’ve probably heard this advice: “change your passwords every few months.” Be honest—did that ever lead to Password2024! becoming Password2025!? You’re not alone. There’s a better, easier way to stay secure.

Why the old “every 90 days” rule was retired

Forced rotation often produces predictable tweaks (Summer2025 → Autumn2025 → Winter2025!) and quiet reuse across sites. That reduces security, raises support tickets, and trains people to choose shorter, more memorable (weaker) passwords. Modern guidance replaced “change on a calendar” with “change on events”.

What leading orgs say

• UK NCSC: recommends avoiding regular password expiry and focusing on strong, unique passwords plus multi‑factor auth (guidance).
• NIST SP 800‑63B: advises against periodic changes without evidence of compromise; change on known events instead (standard).
• Microsoft: removed “password expiration” from baseline recommendations, citing limited security benefit and user burden (baseline).

When you should change passwords

• Service breach: The site/app reports a breach or appears in breach notifications.
• Suspicious activity: Unknown logins, impossible‑travel alerts, password‑reset emails you didn’t trigger, MFA prompts you didn’t initiate.
• Shared credentials: You shared access (family, colleague, contractor) and they no longer need it.
• Password reuse: You reused a password and one of those sites was compromised.
• Device compromise: A lost/stolen device, malware, or you used a public/unknown machine.
• Role changes: Leaving a job or changing roles that alter access requirements.
• Phishing risk: You entered credentials on a dodgy page or over unsecured Wi‑Fi — assume compromise and rotate.

Pro tip: When you change an affected password, also sign out active sessions, revoke app tokens, and review recovery options and forwarding rules (email accounts especially).

When you don’t need to change them

If you follow these practices, you can safely keep a password for longer:

• Unique passwords for every account (no reuse, no patterns).
• 2FA enabled on high‑value accounts (email, banking, cloud storage, social, work SSO).
• Password manager to generate/store long random passwords and alert on breaches.
• Passkeys enabled wherever available — they’re phishing‑resistant and remove password fatigue.

How to spot problems early

• Breach monitoring: Use a reputable service like Have I Been Pwned.
• Security dashboards: Check “recent activity”, devices, and sessions pages for major accounts.
• Alerts on sign‑in: Turn on login notifications; act fast on anything unfamiliar.
• Banking & email hygiene: Watch for changes to recovery email/phone, forwarding rules, and new app passwords.

How to create stronger passwords and passphrases

A strong password should be:

• 12+ characters (16+ preferred).
• A mix of uppercase, lowercase, digits, and symbols.
• Unique for every account.

Tip: Use our password generator to create secure, unique passwords instantly — or switch to a passphrase (4–6 random words) where allowed. Our passphrase generator supports separators, capitalization, numbers, and symbols.

Two‑factor & passkeys: what to use (and avoid)

• Best: Security keys (FIDO2/WebAuthn) or passkeys — strong, phishing‑resistant.
• Good: TOTP authenticator apps (time‑based codes).
• OK in a pinch: SMS codes — better than nothing, but vulnerable to SIM‑swap.
• Always: Store backup codes somewhere safe (separate from your device).

Password managers 101

Choose a reputable manager with:

• End‑to‑end encryption, audited security, and zero‑knowledge architecture.
• Cross‑device sync, secure sharing, breach monitoring, and passkey support.
• A long master passphrase and 2FA enabled on the vault.

Set‑up hygiene:

• Create separate vaults/profiles for Work and Personal.
• Import existing passwords and let the tool flag weak/reused ones.
• Schedule a quick monthly tidy (5 minutes) to clear old logins and rotate anything risky.

Myth vs Fact

• Myth: “Changing passwords every month is safest.”
  Fact: Forced rotation often produces weaker, predictable passwords. Change on events, not a calendar.
• Myth: “All 2FA is the same.”
  Fact: Security keys/passkeys and authenticator apps are stronger than SMS.
• Myth: “I’ll remember a complex password.”
  Fact: Don’t. Let a manager generate/store long random passwords and use a passphrase for the master password.
• Myth: “One pattern with tweaks is fine.”
  Fact: Attackers test common variations (!, !!, 2025, months, seasons). Patterns = reuse.

5‑step checklist (do this today)

1. Turn on 2FA for email, bank, cloud storage, social, and work SSO.
2. Change any reused passwords to unique, random ones (start with email + bank).
3. Run a breach check at Have I Been Pwned and rotate any exposed accounts.
4. Install a password manager, create Work and Personal vaults, and enable 2FA on the vault.
5. Enable passkeys on major accounts that support them and store backup codes safely.

FAQs

Isn’t changing passwords often always safer?

No. It commonly leads to weaker, predictable passwords. Use strong, unique passwords + 2FA and change on events (breach, suspicious activity, reuse).

How do I know if a site was breached?

Watch for official notices and use breach‑monitoring services like Have I Been Pwned. If in doubt, change the password and enable 2FA.

Are passphrases better than complex passwords?

Often, yes. Random 4–6 word passphrases can be both high‑entropy and memorable. Avoid common phrases or quotes; choose truly random words.

What about work policies that still force rotation?

Follow your employer’s policy. If you can, share modern guidance from NCSC/NIST/Microsoft and discuss moving to event‑based changes with strong 2FA/passkeys.

Do I need to change passwords after losing my phone?

If your phone had authenticated sessions or your authenticator app, revoke sessions, rotate critical passwords, and restore 2FA on a new device using backup codes.

Sources & further reading

• UK NCSC: Password collection & guidance — https://www.ncsc.gov.uk/collection/passwords
• NIST SP 800‑63B: Digital Identity Guidelines — https://pages.nist.gov/800-63-3/sp800-63b.html
• Microsoft: Password policy and guidance — https://learn.microsoft.com/windows/security/identity-protection/identity-guidance/password-guidance
• Have I Been Pwned: breach checks — https://haveibeenpwned.com/

Image credit: AI‑generated illustration created for this post.

Found this helpful? ☕️ Buy me a coffee