How often should you change your passwords?

After choosing the right password, the question arises if and how often you should change your passwords.

Reading time:
4 min
How often should you change your passwords? Image by rawpixel.com on Freepik

Always and nearly everywhere you are told how to choose a secure password: Upper and lower case letters, numbers and special characters, no variations of already existing passwords and in no case use a password more than once. After you have chosen your password appropriately, the only question that remains is: how often you should change your passwords.

Originally, a regular password change several times a year was recommended, often every three months. At least that’s what experts thought for a while.

However, this changed and the common opinion now is to focus on changing a password rarely, it is rather emphasized to choose it correctly. Basically, it is advisable to use a password manager instead of remembering several long and different passwords. Regardless of whether they are employees, customers or even private individuals, many users state that they are overwhelmed with managing many different passwords. This inevitably leads to the choice of rather simple and thus insecure passwords, or to use the same password with slight variations, e.g. depending on the season, to add a certain number to the end. Unauthorized access to accounts with such passwords is often gained by attackers through pure guesswork or trial and error.

A long password that is as complex as possible, but especially unique, is the best way to protect an account, and the user should not be forced to change his password more frequently than once a year. However, this rough rule does not mean that you should never change a password, no matter how secure it is! In fact, there are some occasions when it is important to reset a password. Here are some of them:

No matter how careful you are there is no absolute security and malware or phishing emails can still get onto your computer or other devices in use such as smartphones. Also, if it happens that you are using a PC other than your own, it is important to log out of any accounts you may have used when you are finished. If you decide to pass on a device, for example to sell it, make sure that you have reset the device to its factory defaults and that all personal information has been deleted.

Additional protective measures can also significantly improve account security. Multi-factor authentication, for example, is a very effective protection approach. If a notification via push or SMS is used for this, you will also know if someone unauthorized tries to log into one of your accounts.

Explanation of why a general password change, for example every three months, is not absolutely necessary. Provided that a secure password has been chosen, it is usually sufficient to change the password in explicit situations. Here are five examples: An IT security incident has been detected, suspected unauthorized account access, malware or phishing, shared access to an account, an inactive or neglected account.
Figure: Summary of when it is strongly recommended to change a password.

Contact an Expert

Do you have any further questions or need specific help? Write us a message or arrange a meeting directly.

Show more

Get to the blog