How often should you change your passwords?

Always and nearly everywhere you are told how to choose a secure password: Upper and lower case letters, numbers and special characters, no variations of already existing passwords and in no case use a password more than once. After you have chosen your password appropriately, the only question that remains is: how often you should change your passwords.

How often should you change your passwords? Image by rawpixel.com on Freepik

Originally, a regular password change several times a year was recommended, often every three months. At least that’s what experts thought for a while.

However, this changed and the common opinion now is to focus on changing a password rarely, it is rather emphasized to choose it correctly. Basically, it is advisable to use a password manager instead of remembering several long and different passwords. Regardless of whether they are employees, customers or even private individuals, many users state that they are overwhelmed with managing many different passwords. This inevitably leads to the choice of rather simple and thus insecure passwords, or to use the same password with slight variations, e.g. depending on the season, to add a certain number to the end. Unauthorized access to accounts with such passwords is often gained by attackers through pure guesswork or trial and error.

A long password that is as complex as possible, but especially unique, is the best way to protect an account, and the user should not be forced to change his password more frequently than once a year. However, this rough rule does not mean that you should never change a password, no matter how secure it is! In fact, there are some occasions when it is important to reset a password. Here are some of them:

No matter how careful you are there is no absolute security and malware or phishing emails can still get onto your computer or other devices in use such as smartphones. Also, if it happens that you are using a PC other than your own, it is important to log out of any accounts you may have used when you are finished. If you decide to pass on a device, for example to sell it, make sure that you have reset the device to its factory defaults and that all personal information has been deleted.

Additional protective measures can also significantly improve account security. Multi-factor authentication, for example, is a very effective protection approach. If a notification via push or SMS is used for this, you will also know if someone unauthorized tries to log into one of your accounts.

Explanation of why a general password change, for example every three months, is not absolutely necessary. Provided that a secure password has been chosen, it is usually sufficient to change the password in explicit situations. Here are five examples: An IT security incident has been detected, suspected unauthorized account access, malware or phishing, shared access to an account, an inactive or neglected account.
Figure: Summary of when it is strongly recommended to change a password.

Reading Time:
4 min
Published:
:
Aura Pop & Rene Neff

Contact an Expert

Do you have any further questions or need specific help? Write us a message or arrange a meeting directly.

Show more

  1. Verify Login Credentials to Protect against Credential-Stuffing Attacks

    Verify Login Credentials to Protect against Credential-Stuffing Attacks

    Users to Verify Their Login Credentials to Protect against Credential-Stuffing Attacks Checking credentials against leaked login information is an important safeguard to protect against credential stuffing attacks, as it helps prevent the use of stolen credentials. When users check their credentials on a platform that matches whether the data has been leaked in the past, they can determine whether their credentials may have already fallen into the hands of attackers. If so, they should change their password as soon as possible and, if necessary, consider other security measures such as enabling two-factor authentication.

    Reading Time:
    8 min
    Published:
    :
    Rene Neff
  2. Risks to Users and Operators of Online Platforms from Credential-Stuffing Attacks

    Risks to Users and Operators of Online Platforms from Credential-Stuffing Attacks

    Risks to Users of Online Platforms from Credential-Stuffing Attacks Credential stuffing attacks pose a high risk for users of online platforms. Criminals’ access to online accounts can lead to financial damage, for example when purchasing goods with stolen credit cards or by exploiting access data to paid offers. Credential-stuffing attacks also pose a risk of identity theft, as attackers may have access to personal information and documents when they access an account.

    Reading Time:
    4 min
    Published:
    :
    Rene Neff

Get to the blog