For decades, the standard advice was to change your passwords every 60 or 90 days. Then in 2017, the very agency that popularized that rule reversed course. The modern consensus from NIST, CISA, and most security researchers: don't rotate passwords on a schedule. Instead, change them immediately when there's a reason to — and focus your energy on the things that actually prevent account compromise.
The great reversal
The idea of mandatory password rotation originated in an era when passwords were shorter, simpler, and more easily cracked by brute force. Changing them regularly limited the window an attacker had to exploit a stolen credential. It made sense in theory.
In practice, it backfired. The NIST Special Publication 800-63B — the federal standard for digital identity guidelines, revised in 2017 — explicitly recommends against periodic password changes unless there is evidence of compromise. The reasoning is straightforward: when people are forced to change passwords frequently, they create weaker ones. They append numbers ("Password1" becomes "Password2"), they use predictable patterns, and they write passwords on sticky notes because they can't remember the latest version.
A 2010 study from the University of North Carolina at Chapel Hill analyzed over 10,000 expired accounts where users had been forced to change passwords every three months. Researchers found that knowing a previous password allowed them to crack the current one within seconds in 41 percent of cases. The "rotation" wasn't generating new security — it was generating predictable transformations of old security.
Breach-triggered changes: the one that actually matters
The single most important reason to change a password is evidence that it's been compromised. This could be a notification from a service that they've suffered a data breach, an alert from a monitoring service like Have I Been Pwned, or suspicious activity on your account (login attempts from unfamiliar locations, password reset emails you didn't request).
When a breach happens, the clock starts immediately. Stolen credentials are often sold in bulk on dark web marketplaces, and attackers use automated tools to try those credentials across hundreds of services within hours. If you use the same password on multiple sites — and most people still do — a single breach can cascade into multiple compromised accounts.
CISA's Secure Our World guidance on passwords emphasizes this reactive approach: use strong, unique passwords, enable multi-factor authentication, and change passwords when you have a specific reason to believe they've been exposed.
Which accounts are high-risk
Not all accounts carry equal consequences if compromised. Your email account is arguably the most critical — it's the recovery mechanism for virtually everything else. If an attacker controls your email, they can reset passwords on your bank, social media, cloud storage, and shopping accounts. Your primary email password should be strong, unique, and changed at the first sign of anything unusual.
Financial accounts (banking, investment, tax filing) are high-value targets for obvious reasons. Healthcare portals contain sensitive personal data. Cloud storage accounts may hold years of documents, photos, and personal files. For these high-risk accounts, an annual review makes sense — not necessarily changing the password, but verifying that you're using a strong, unique credential and that two-factor authentication is enabled.
Low-risk accounts — that forum you signed up for once, the newsletter subscription, the random e-commerce site — don't need the same level of attention. Use unique passwords (so a breach doesn't cascade), but don't lose sleep over rotating them.
Password managers: the actual solution
The practical problem with unique passwords for every account is that humans can't remember them. The average person has somewhere between 70 and 100 online accounts. Even with a system of memorable passphrases, that's an impossible cognitive load.
Password managers solve this entirely. They generate long, random, unique passwords for every account and store them encrypted behind a single master password. You only need to remember one strong credential. The rest are handled by the software.
Both CISA and the updated NIST guidelines implicitly support this approach by recommending long, complex, unique passwords — which is essentially what a password manager generates. Most modern browsers include a built-in password manager, and dedicated tools like 1Password, Bitwarden, and Apple's iCloud Keychain offer cross-device sync and breach monitoring.
Two-factor authentication matters more than rotation
If you're going to spend energy on one security improvement, make it two-factor authentication (2FA) rather than password rotation. With 2FA enabled, even a compromised password isn't enough to access your account — the attacker also needs your phone, your fingerprint, or your hardware key.
A 2019 Google study found that adding a phone number as a second factor blocked 100 percent of automated bot attacks, 99 percent of bulk phishing attacks, and 76 percent of targeted attacks. Hardware security keys performed even better, blocking 100 percent across all three categories.
The hierarchy of security impact, from most to least effective: enable 2FA (preferably with an authenticator app or hardware key, not SMS), use a password manager with unique passwords everywhere, monitor for breaches, and then — at the bottom of the list — consider periodic rotation for your most sensitive accounts.
When you should change a password immediately
Change the password right away if: the service notifies you of a data breach; you receive a legitimate password reset email you didn't request; you notice unfamiliar logins or activity on the account; you've shared the password with someone who should no longer have access; you entered the password on a device that might be compromised (a public computer, a friend's phone with unknown software); or if you discover you've been reusing the same password across multiple services and one of them has been breached.
In each of these cases, speed matters. Don't wait for the quarterly review. Change it now, make it unique, and enable 2FA if you haven't already.
The bottom line
Don't change passwords on a forced calendar schedule — that habit produces weaker passwords, not stronger security. Instead, use a password manager to generate unique credentials for every account, enable two-factor authentication on anything important, monitor for breaches through services like Have I Been Pwned, and change passwords immediately when there's a reason to. For high-risk accounts (email, banking, healthcare), an annual review to confirm strong, unique passwords and active 2FA is a reasonable cadence. The old "change it every 90 days" rule is officially retired.
References
- National Institute of Standards and Technology. NIST Special Publication 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management. nist.gov
- Cybersecurity and Infrastructure Security Agency. Use Strong Passwords. cisa.gov
- Zhang, Y., Monrose, F., & Reiter, M. K. (2010). The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. ACM CCS 2010. doi:10.1145/2335356.2335366
- Google Security Blog. (2019). New research: How effective is basic account hygiene at preventing hijacking. security.googleblog.com
- Hunt, T. Have I Been Pwned: Check if your email has been compromised in a data breach. haveibeenpwned.com