Woman looking at phone and laptop

Here’s when you really need to change your passwords

Most things you’ve been told about passwords—including the need to change them frequently—came from a 2003 report by the National Institute of Standards and Technology (NIST). But NIST admitted last year1 that some of that guidance may have actually been counter-productive. Their new advice is different: You really only need to change a password when that site has had a breach or if you think it has otherwise been compromised.2

Research shows3 that making people update passwords too frequently can in fact have negative consequences. "The big problem is that people tend to change their password in a predictable way, for example, by incrementing a digit at the end," says Dr. Lorrie Faith Cranor, Director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University.

"Therefore, someone who knows your old password can guess your new password pretty easily.” Requiring frequent changes also leads to people writing passwords on a sticky note or saving them as a file on their computer (that’s always a no-no).

The big caveat to this advice: It only applies if you have different passwords on every site, as you should. If not, you’d need to change them all every time there’s a breach, since one password getting out could put all your accounts at risk. “Every time you reduce your password reuse, you make yourself safer,” says Jeff Goldberg, Chief Defender Against the Dark Arts (his actual title) at AgileBits5, which makes the password manager “1Password.” If you still have some password reuse but hear of a hack or data breach, start by changing your bank, credit card, email and computer passwords first and then work your way through the rest.

If having unique passwords for every site, changing compromised ones right away, and tracking data breaches all sounds like too much hassle, one solution may be to use a password manager. Read about the benefits (and risks) of that here.

The Three Biggest Password Mistakes

Many Americans fail to practice what’s called “good password hygiene.” Basically, it’s human nature to take password shortcuts, and that’s what hackers count on. Here are the top three password blunders.
  • Using the same password on multiple sites. Each stolen login combo will be tried on thousands of sites. If you repeat passwords, any hacked login puts all accounts with the same password (or similar password) at risk.
  • Using a simple or easily guessed password. The bad guys know all the most common phrases and techniques, and they have programs that can make millions of guesses a minute. Your “system”—dog’s name plus first initial of company and year of your birth—will quickly be cracked, especially if your dog’s name is on social media!
  • Ignoring your password vulnerability, even after a breach. You don’t have to change passwords every three months—in fact, that’s a bad idea as explained here—but when you know of a breach on a site or account, change that one right away. And be sure to change your login on every site where you repeated that password.

1 “The man who wrote those password rules has a new tip N3v$r M1^d!,” 8-7-18, Wall Street Journal.
2 Summary: “NIST’s new password rules-what you need to know,” 8-18-16, NakedSecurity by Sophos. NIST
guidelines: NIST Special Publication 800-63B, Digital Identity Guidelines.
3 “Time to rethink mandatory password changes,” Lorrie Cranor.
4 “The Password Exposé: 8 truths about the threats –and opportunities –of employee passwords,” LastPass, page 8 and 9.
5 Jeff Goldberg, Email interview, 4-27-18.

Third-party product, service and business names are trademarks and/or service marks of their respective owners.