Just how often *should* you change your passwords? Surprise…

“How often should you change your password?”

Sounds like it should be a pretty easy question, right?  After all, it gets right to the heart of most security issues that people face. Turns out, it’s a really hard question to answer.

And that’s a problem, because as I spend more time giving talks about computer security issues with people in various settings, I have come to know that “How often?” is by far the most common question people have.  I might offer a stirring, funny, informative…ok, adequate…45 minute discussion about the major security and privacy issues of our day. I might touch on Snowden, Target, retina scans, social engineering, social media, your mother’s maiden name….but it doesn’t matter. Inevitably, one of the first 2-3 questions is: “How often do you, or should I, change a password.”

Recently, I’ve thought a lot about better ways to answer that question. I have a few, and I want to hear your answers. But before I get to that, I thought I’d find some better people to answer the question. I did a quick, informal survey of the best in the information security business, and here’s what they said to me. You’ll find plenty of nuggets of wisdom here, and more than a few surprises.

Graham Cluley
Graham Cluley

Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)

 I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. 🙂 I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.




Mikko Hypponen
Mikko Hypponen

Mikko Hypponen – Chief Research Officer, F-Secure (more about him)


For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never.  As always, it’s about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.



James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)

JamesLynn SophosThe requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.

There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.

Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly).  Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.


Harri Hursti
Harri Hursti

Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)

This is not (an easy question) … because also changing the password too often can become a security risk

It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.


Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)

The answer, loosely, is this.

Change a password if any one of these is true:

1. You suspect (or know) it has been compromised.
2. You feel like changing it.
3. You have been re-using passwords and have decided to mend your ways.

We explain better in the podcast “busting password myths,” I think.

The podcast is 15 minutes, however, the first two minutes address this very question and may be worth your time.

So…I ask: How often do you change your passwords? And how often do you think you *should* change your passwords?

Sign up for Bob Sullivan’s free email newsletteter


Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1508 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.