Date First Published: 16th October 2023
Subtopic: Security Mechanisms & Technologies
Difficulty Level: 2/10
Learn about whether you should regularly change your password in this article.
You have probably heard from multiple sources that you should regularly change your password every six months, every three months, or even every month. This is a common myth. The truth is that as long as your password is already strong, not compromised in a data breach, and has not been discovered by someone else, there is no need to regularly change it and it is unlikely that you will achieve anything from regularly changing it to another strong password.
If you already have a strong password for a web-based service or an electronic account, then you can keep it for as long as you use that service, unless it has been compromised, or you think that someone has accessed your account without your permission. In that case, you should immediately change it.
You may have also heard that you should regularly change your password because you never know who has accessed your account. The only way that someone else would be able to access your account is if they stole your password and most people would know if someone else has gained access to their account without their permission because they may receive an email notification about a new login from a different IP address that they don't recognise or notice changes to their account that they don't remember making. This comes from the myth that almost all passwords leak over time.
Frequently changing your password could also make your passwords less secure and give you a false sense of security. If you keep changing your password, this will often cause you to pick a password very similar to the one you had before, similar to one you use on another account, or you may also pick a weak and easy-to-guess password so that you won't forget it.
Using variations of passwords across multiple accounts is risky because if one of them becomes compromised, all the passwords for your other accounts would be easy to guess. Overall, it will make it harder to remember good passwords since you have to remember a new password every couple of months. By trying to make your passwords more secure, you will often unintentionally make them worse.
The National Cyber Security Centre (NCSC) recommends against automatic password expiry due to the inconvenience to users, and the risk of users choosing very similar passwords to the ones they had before, leading to attackers exploiting this weakness. The NSCS recommends that organisations do not force regular password expiry due to the inconvenience and vulnerabilities associated with regularly expiring passwords. They want administrators to think about alternative and more effective system mechanisms they might implement to detect and prevent unauthorised account use, including limits for failed login attempts and system monitoring tools that can detect suspicious activity.
Instead of regularly changing your passwords, it is more important to ensure that you use strong, unique passwords with extra security features, like two-factor authentication and only change them when necessary, like if you know your old password is weak, your account has been involved in a data leak, your computer has been recently infected with malware or spyware, or you notice suspicious activity in your accounts. Changing your passwords for no reason is more likely to create more problems than solve them.
If so, it is important that you tell me as soon as possible on this page.