Depending upon who you talk to, you should change your password every 30, 60, or even 90 days.
This has actually caused some issues. While having a series of changing password makes it less likely that your password would be hacked, and if it was, then, the hacker would only have limited access before you changed your password.
However, that caused an issue. By changing your password so frequently, passwords tended to be:
- either easy to guess because it changed so frequently,
- the same password with a number after it, i.e. paswrd01, paswrd02, etc.,
- the same password is used for different change sites, and/or
- the passwords are written down, or otherwise stored insecurely.
Because of these issues, the NIST recently issued a new guidance suggesting that you not change your password.
So when should you change your password:
- After a service discloses a security incident.
- There is evidence of unauthorized access to your account.
- There is evidence of malware or other compromise of your device.
- You shared access to an account with someone else and they no longer use the login.
- You logged in to the account on a shared or public computer (such as at a library or hotel).
- It’s been a year or more since you last changed the password, especially if you don’t have multi-factor authentication enabled.
In all these cases, updating your password is a smart step. A new password ensures that someone can’t (continue to) abuse your account even if they have the old password.