How Often Should You Change Your Password for Online Accounts?
As more apps and accounts are needed for everyday tasks, you spend more time on personal password management. Managing passwords includes responding to reminders to update aging logins, resetting forgotten passwords, and trying to locate a long-lost password in a lengthy spreadsheet or digital note. All of this puts you at risk of losing access to your accounts. So, when should you change passwords for the most efficient and secure password experience?
How often should you change your passwords?
There are no set rules. There are so many factors that go into password strength and so much variation among users that it has become impractical to create universal rules for password changes. The reality is that if you have a secure, realistic password strategy in place, there’s no reason to change passwords on a regular schedule. To know when to change your passwords, try asking yourself why rather than when you should change your passwords.
- Password changes: If there are no set rules, why do employers ask us to update our passwords every few months? The concept behind these forced resets is simple—if your logins change periodically, it will be harder for an attacker to decode them. However, these mandatory password changes fail to consider that you may be replacing a strong password with a weaker one.
- NIST guidance: When we rush to change a password based on predetermined deadlines, it’s human nature to make minor changes to the existing password to make it easier to remember. The NIST digital identity guidelines explain that these minor changes have little value since attackers can apply the same common transformations. An alternate approach recommended by the NIST calls for administrators to establish controls to screen out weak or compromised passwords.
- Use a password manager: A password manager allows you to create unique, bullet-proof passwords automatically, then manage and store them from one secure app. Dashlane’s Password Generator creates random and unique passwords you won’t need to memorize or write down because the passwords are securely encrypted on your device before they’re stored in the password manager’s vault.
Want to learn more about using a password manager?
Check out our our personal plans or get started with a free trial.
Want to learn more about using Dashlane Password Manager at home or at work?
Check out our personal password manager plans or get started with a free business trial.
Why the 30/60/90 password change rule is outdated
So, just how often should passwords be changed? The 30/60/90 rule that many companies still follow calls for passwords to be reset every 30, 60, or 90 days, depending on security settings. The logic behind these somewhat arbitrary timeframes was based on employees often reusing their passwords. Frequent changes were necessary to lessen exposure if a common password was leaked during a breach.
Although the 30/60/90 rule and others like it were well-intentioned, these rigid intervals are no longer necessary or effective, and they can lead to hassles for IT teams, with employees being locked out of their computers or accounts. The password security tools available today provide us with more proactive and reliable ways to improve password safety, including:
- Using 2-factor or multifactor authentication to request additional logins only the account holder can access.
- Using a password manager to make sure you always have random and unpredictable passwords that are much less vulnerable to hacking.
Some companies put so much trust in password managers that they’re willing to lift their existing password management policies following the company-wide adoption of this solution.
When should you change passwords?
You should change your passwords if:
- You think you’ve been hacked
- You discover malware
- You find your password on the dark web
- You use public WiFi without turning on a VPN
- You share your password unsecurely
5 Times You Should Change Your Password
Let’s take a look at some conditions that should always lead to an immediate password reset:
- If you think you have been hacked: It might be difficult to tell when your computer or device has been hacked, but there are a few telltale signs. These include random or unusual popups, redirected internet searches, passwords failing to work for no apparent reason, and friends reporting unusual emails or direct messages from you that you didn’t send.
You might also be notified of a data breach by your employer, your bank, a retailer, or another organization you’ve worked with. You should always take these warnings seriously—you can never assume your passwords or other personal information weren’t compromised.
In general, it’s a good practice to reset passwords immediately if you ever suspect hacking or have been notified of a breach.
- If you discover malware: If you or your employer use one of the many trusted antivirus or anti-malware products on the market, these threats should be minimized. But with phishing and fraudulent links on the rise, it’s still possible for malware to slip past your defenses. Many types of malware, like spyware and keyloggers, are used to steal passwords, banking logins, and other personal information, so you should change your passwords immediately any time you experience a malware attack.
- If you find your password on the dark web: Despite being vigilant, you may not always realize when your information has been compromised. Dark web monitoring is a valuable tool that helps you scan the hidden recesses of the internet for your personal information and logins. Dashlane’s Dark Web Monitoring alerts users if their password or account information is detected and needs to be changed.
- Any time you use public WiFi without a VPN: If you log into a public WiFi network without the protection of a virtual private network (VPN), your personal information can be intercepted. Any account passwords you keyed in during that span should be updated ASAP. A VPN encrypts all data going into or out of your device and routes it through a secure portal, making it safer to join a public WiFi network.
- Any time you share your password(s) with others: Sharing passwords is common and unavoidable, especially for frequently used accounts like Amazon and Netflix. Passwords for workplace apps are also shared between employees on a regular basis. It might seem harmless to share passwords with those you trust, but if any of these individuals are impacted by cybercrime, your identity and information become vulnerable as well. To be safe, reset any account passwords you’ve shared.
The key elements of password security
Here are some guidelines you can follow to significantly improve your password hygiene and security profile:
- Using strong and unique passwords: The best alternatives to frequent password changes are hard-to-guess passwords that are strong and unique. This means more characters (12 is much better than 8), randomly mixing numbers, letters, and special characters, and avoiding common or personal words like your name or street address.
Generate a strong and unique password now using Dashlane’s Password Generator.
- Using 2-factor authentication: 2-factor authentication (2FA) asks for a second credential, typically provided to the user through an app or text, to further verify identity. This added layer of security makes it nearly impossible for intruders to access your accounts without having your device in their possession. 2FA is worth the few extra seconds it adds to your login time.
- Keeping passwords private: Passwords stored in notebooks, sticky notes, or spreadsheets aren’t private. When you share passwords with friends, relatives, or coworkers, this can also undermine your password privacy. Along with a protected vault location for your autogenerated passwords, Dashlane provides a secure, encrypted portal for password sharing that makes it easier to maintain your privacy.
- Not reusing passwords: Using short and simple passwords makes it easier for hackers to decrypt your information. Reusing passwords is an equally dangerous habit and a big reason why forced password resets are still with us. Reused passwords can put multiple accounts at risk simultaneously. Dashlane’s Password Health score helps you review and track the status of your weak, compromised, or reused passwords as you improve your security profile.
- Using a password manager: A password manager combines all the key elements of password security with the convenience of autofill to simplify logins and improve productivity. Automatic password generation features eliminate the need to establish and remember complex passwords for each account by creating and storing strong, unique, and encrypted passwords for you.
How Dashlane helps secure your passwords
Password management solutions from Dashlane include the advanced security features you need to keep your data safe as you boost your password health and productivity. With user-friendly autofill, secure password sharing, AES-256 encryption, and additional VPN and Dark Web Monitoring services, Dashlane (and your Master Password) are now the only words you need to remember!
Dashlane’s Password Health score helps you prioritize password changes by identifying compromised, reused, or weak passwords.
See how your password health compares to your region in our report: A Global Look at Password Health.
- Dashlane, “10 Most Common Passwords (Is Yours on the List?),” September 2022.
- NIST, “Digital Identity Guidelines,” 2022.
- Dashlane, “What Is Encryption?” March 2019.
- Dashlane, “The Power of Unpredictable Passwords,” August 2020.
- Dashlane, “Always Change Your Passwords After a Breach,” March 2020.
- Cisco, “What is Malware,” 2022.
- Dashlane, “How Strong Is Your Password & Should You Change It?” August 2022.
- Dashlane, “How to Stop Reusing Passwords for Good,“ January 2020.
- Dashlane, “A look at Password Health Scores around the world in 2022,” 2022.
- Microsoft, “Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903," May 2019.
- Scientific American, “The Mathematics of (Hacking) Passwords,” April 2019.
- Dashlane, “A Beginner’s Guide to Two-Factor Authentication,” August 2022.
- Dashlane, “Understanding Your Dashlane Password Health Score,” October 2020.