Changing Passwords Isn’t the Security Measure You Think It Is.
There are many tips for proper password management: each of your passwords should be strong and unique; use a secure manager to store your passwords; Use two-factor authentication (2FA) to add an extra layer of security to your accounts. But there’s another piece of advice that’s followed just as much as others: change your passwords more often—perhaps every three months. This habit is so stressed that many companies and organizations force you to change your passwords several times a year in the name of security. The thing is, in all likelihood, it doesn’t actually help your safety.
The idea that changing your passwords several times a year is the cornerstone of your security may have become ingrained in some of you. After all, this is not new advice. As PCMag discovered , this practice has a long history: When security experts write about passwords, they often write about changing them. That’s just how the advice was given. But it’s more likely because it anticipates and reacts to bad security habits.
Good passwords (usually) don’t need to be changed.
Changing passwords only really makes sense if your passwords have been compromised. After all, if no one knows your password, why change it? However, passwords are constantly being hacked. So, it might seem logical to change your password frequently: you never know which of your passwords might be guessed, right? So might as well keep these bad actors on their toes.
But let’s take a step back: There’s no reason any of your passwords could be guessed. If a hacker managed to guess your password, it’s a bad password and you shouldn’t have used it in the first place. I’ll go further and say that none of your passwords should be hacked by a computer – at least not on a timeline where it matters.
A good password, one that is both strong and unique, is inherently uncrackable. It should be long, varied and not used for any other purpose. It doesn’t matter if the company controlling one of your accounts is hacked, as long as this password is different from that one. You can use a tool like Bitwarden Password Tester to see how long it takes your computer to crack various passwords. It takes eight seconds to hack Lifehacker. Lifehackerdaughtcalm takes centuries.
If your password is strong and unique and theoretically takes longer than a human life to crack, there is no need to change that password after three months. There is no need to change this password after a year. There is no need to change this password period unless you are in real danger.
When to change your password
I’m not saying you should never change your password. You should definitely change it if other people find out about it. This most often happens when the company that owns your account has a data breach. Let’s say there was a major data breach at AT&T and user authentication data was leaked onto the dark web. In this case, you should change your password as soon as possible. In this case, the company in question will likely advise you to do the same and even offer you additional benefits to compensate for the inconvenience of having your data leaked.
Of course, data breaches are not the only time good passwords are discovered. Malware is another threat to watch out for. If you fall for a phishing scam, for example, and download malware onto your computer, it can track and steal your passwords to your sensitive accounts. Or you could be tricked into opening a fake version of a website where you have an account, enter your username and password on that site, and voila: the password is hacked.
In these cases, your strong and unique password is lost, so yes, it’s time to change it. But if there’s no real reason for it, you don’t need to worry about turning it on.
To be clear, you will not compromise your security by changing your passwords. In fact, you may not even have a choice if your company or organization requires you to change your password from time to time. But as long as all your passwords are strong and unique and none of them are compromised, you’re just making your job harder for no real benefit.
Safety tips that won’t waste your time
Want real security improvements? Store all those strong and unique passwords in a secure password manager . This way, you only need to remember one strong and unique password—the master key of your password manager. Also, use two-factor authentication (2FA) whenever possible. 2FA requires a trusted device for secondary authentication after providing the correct password. This way, even if an attacker knows your password, he won’t be able to hack the system without access to your trusted device. ( Just prioritize authentication app or security key over SMS authentication .)
If this is an option for your accounts, you may also want to look into access keys instead of passwords . Access keys effectively combine the convenience of passwords with the security of 2FA: they generate a key on your trusted device that is required when logging into a site. This way, there will be no password that can be stolen. As long as you authenticate yourself to the device, say with Face ID or a PIN, you’re in the system.
If you make sure each of your accounts is protected with these steps, and you’re aware of any data breaches, there’s no reason to worry about changing your passwords every three months. Stay safe there.