For decades, the conventional wisdom of “periodically changing” your login password stood firm.  Concerns about passwords being stolen or discovered and threat actors gaining access to your valuable information caused this to be true and necessary.  However, more recently, the conversation has been expanded and the “rules” have changed.

You may have read information from the National Institute of Standards and Technology (NIST) that says changing passwords is not only no longer necessary, but could be harmful leading to the use of simple or slightly varied passwords.  That comes with some caveats about how you are creating  your passwords and how you are securing them.

Let’s start by looking at best practice password hygiene.

  • Passwords should be at least 16 characters in length. This will not only make them near impossible to crack with a password cracking tool, but will also prevent them from being stored in a browser (which you should never do).
  • Passwords should be complex in nature. This means that they should include numbers, lower case letters, upper case letter, and special characters.  The easiest way to achieve this is by using a password manager that will generate the passwords for you and store them for future use so you never need to type them.
  • Multi Factor Authentication should be used for all systems that you log in to. This means that even if someone did get your password, they would not be able to login to the system without the second factor.
  • Password should be used for one and only one application. Reusing passwords increases the possibility of multiple systems being compromised if a single password is stolen.

If you are following all these practices, then it is not necessary to have an arbitrary periodic change of your passwords unless you are subject to a compliance which requires you to do so or using a system which requires it.

You should be sure to change your password in the following cases:

  • After a breach of your password
  • After using a public Wi-Fi system
  • After logging into your accounts from someone else’s computer
  • If it has been a while since you have logged into an account

Password hygiene is critical for the security of your data and systems.  Following these guidelines can help you protect your systems and not require you to change your passwords every 30-90 days as used to be the standard.