PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Stop Changing Your (Strong, Unique) Passwords So Much

Feb. 1 is Change Your Password Day, and you may think that good cyber hygiene means creating new, robust passwords every few months. Not so fast.

Eric Griffith
 & Eric Griffith Senior Editor, Features

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: designer491; iStock/Getty Images Plus)

There was a time that whenever I wrote something related to security passwords, I'd use these words: "Use password managers, as they make it very easy to change passwords, which you should do frequently." Because that's the advice everyone gives about passwords, along with making them strong and unique to every service and account you create.

I haven't done that in years, though, because one of our resident security experts, Neil. J. Rubenking, pointed out that the "should do frequently" part is now outdated advice.

When the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, they used a lot of science-talk to discuss information security standards and "memorized secrets"—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: "Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."

The NIST report also included an appendix about the Strength of Memorized Secrets, which discusses how it's almost impossible for people to memorize passwords if they have forced "composition rules," such as including a symbol, an uppercase letter, a numeral, etc.

"The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe," NIST said.

The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)

Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password/phrase.

Recommended by Our Editors

How We Test Password Managers
How We Test Password Managers
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely

NIST agrees; its 2024 update to the Digital Identity Guidelines recommends password managers and has other suggestions for services and organizations that require passwords. Those include enabling "show password" since it's highly unlikely anyone is hovering behind you to write it down, plus that reduces typing mistakes; locking out users after multiple failed attempts; monitoring for the use of dumb, over-used passwords; and employing multi-factor authentication.

Don't Lie: How Often Do You Change Passwords?

Let's get back to the frequency, Kenneth. That standard advice of changing your password every few months to a year is ingrained in most articles on the subject. A Google search on "how often should I change my password" returns a first result reading "every three months." Most sites and articles say the same, with a few exceptions. And Feb. 1 is Change Your Password Day!

The story I wrote years ago about passwords that spurred all this included coverage of a survey in which PCMag specifically asked, "How often do you change your passwords?" About 74% of respondents claimed to change their passwords at a minimum of every six months. I don't buy it. The cynic in me thinks people believe they are supposed to change passwords often, and don't want to admit to us (or themselves) that they don't. Perhaps they're annoyed because their workplace or some service forces them into frequent changes.

Stop feeling guilty! The experts told us years ago to quit making regular password changes. It's time we listened. As long as your password is already reasonably strong and unique to every site and service, changing it frequently is not much help to you.

Unless it's compromised in a data breach, of course, then change it immediately.

This isn't going to stop certain entities from forcing you to change your password. Your boss or bank may take some persuading to cease showing that dreaded "Please enter a new password to continue" message every few months. They probably won't let you re-use a password either, even if it was the strongest you'd ever created. They're probably also going to continue to limit size and require special characters. Sorry.

But if you have a really good password for a service or account, you can probably keep it for life (or until there's a breach). Just ensure it's long, strong, and unique to the service.

About Our Expert

Eric Griffith

Eric Griffith

Senior Editor, Features

My Experience

I've been writing about computers, the internet, and technology professionally since 1992, more than half of that time with PCMag. I arrived at the end of the print era of PC Magazine as a senior writer. I served for a time as managing editor of business coverage before settling back into the features team for the last decade and a half. I write features on all tech topics, plus I handle several special projects, including the Readers' Choice and Business Choice surveys and yearly coverage of the Best ISPs and Best Gaming ISPs, Best Products of the Year, and Best Brands (plus the Best Brands for Tech Support, Longevity, and Reliability).

I started in tech publishing right out of college, writing and editing stories about hardware and development tools. I migrated to software and hardware coverage for families, and I spent several years exclusively writing about the then-burgeoning technology called Wi-Fi. I was on the founding staff of several magazines, including Windows Sources, FamilyPC, and Access Internet Magazine. All of which are now defunct, and it's not my fault. I have freelanced for publications as diverse as Sony Style, Playboy.com, and Flux. I got my degree at Ithaca College in, of all things, television/radio. But I minored in writing so I'd have a future.

In my long-lost free time, I wrote some novels, a couple of which are not just on my hard drive: BETA TEST ("an unusually lighthearted apocalyptic tale," according to Publishers' Weekly) and a YA book called KALI: THE GHOSTING OF SEPULCHER BAY. Go get them on Kindle.

I work from my home in Ithaca, NY, and did it long before pandemics made it cool.

The Technology I Use

My first computer was a Laser 128, an Apple II-compatible clone with an integrated keyboard, matched with an eye-straining monochrome green monitor. I used it to type papers in college for other people for money...until I discovered the Mac SE in the college computer room. That changed my life. My first cellphone was a Samsung Uproar—the silver one with the built-in MP3 player from the Napster days (the pre-iPod era).

I use an iPhone 15 Pro hourly and an iPad Air infrequently (but I'm always in the market for a cheap Android tablet). I have a PlayStation 5 just to play Spider-Man, and several Windows machines, including a work-issued Lenovo ThinkPad. I talk to Alexa and Siri all day long. I do the majority of my computing on a 15-inch LG Gram laptop attached to a Thunderbolt hub to run a multi-monitor setup—I overdid it on the power needed to simply work from home.

I'm most at home in Microsoft Word after decades of writing there. More and more, I turn to services like Google Docs, using tools like Grammarly. I use Google's Chrome browser due to an addiction to several extensions I think I can't live without, but probably could. I use Excel extensively on data-intensive stories, but for chart creation, we've switched over entirely to using Infogram for interactive features that are hard to find elsewhere. I do a lot of graphics work for my stories, but limit myself to the free and amazing Paint.NET software to edit images.

I'm a firm evangelist for using the cloud for backup and syncing of files; I'm primarily using Dropbox, which has never failed me, but I also have redundant setups on Microsoft OneDrive, plus extra picture backups on Amazon Photos and iCloud. Why take chances? For entertainment, mine is a streaming-only household—my kid has never seen network TV and barely been exposed to commercials, thanks to Roku and Amazon Music. The house is peppered with smart speakers from Amazon for instant gratification and control of smart home devices like multiple Wyze cameras and Nest Protect smoke detectors. I've got accounts on all the major social networks, to my horror. I have a robot vacuum for each floor of the house. I want a 3D printer, but not sure what I'd use it for.

Read the latest from Eric Griffith

Read full bio