PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

You're Changing Your Password Too Often. Here's Why You Shouldn't

We've been conditioned to think that good cyber hygiene means creating new, strong, and unique passwords every few months. Not so fast!

Eric Griffith
 & Eric Griffith Senior Editor, Features

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: designer491; iStock/Getty Images Plus)

In the past, whenever I wrote about security passwords, I would say something along the lines of "Use password managers, as they make it very easy to change passwords, which you should do frequently." Because that's the advice everyone gives about passwords, along with making them strong and unique to every service and account you create.

I haven't done that in years, though, because our resident security expert, Neil. J. Rubenking, pointed out to me that the "should do frequently" part is sorely outdated advice.

When the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, it used a lot of science talk to discuss information security standards and "memorized secrets"—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: "Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."

The NIST report also includes an appendix on the Strength of Memorized Secrets, which discusses how it's almost impossible for people to memorize passwords when they're forced to follow "composition rules," such as including a symbol, an uppercase letter, or a numeral.

"The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe," NIST said.

The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)

Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password or phrase.

NIST agrees; its 2024 update to the Digital Identity Guidelines recommended password managers and has other suggestions for services and organizations that require passwords. Those include enabling "show password" since it's highly unlikely anyone is hovering behind you to write it down, which reduces typing mistakes; locking out users after multiple failed attempts; monitoring for the use of dumb, overused passwords; and employing multi-factor authentication. Now, passkeys (private keys stored on your device, like a phone) are also a better option. But you're still stuck with passwords in many places.

Don't Lie: How Often Do You Change Passwords?

The advice to change your password often is so ingrained in the online culture that February 1 has been dubbed Change Your Password Day. I say: Do not celebrate!

The story I wrote years ago about passwords that spurred all this included coverage of a survey in which PCMag specifically asked, "How often do you change your passwords?" At the time, 74% of respondents reported changing their passwords at least every six months.

Recommended by Our Editors

How We Test Password Managers
How We Test Password Managers
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely

I didn't buy it then, and I don't buy it now. The cynic in me thinks people believe they are supposed to change passwords often and don't want to admit to us (or themselves) that they don't.

Or perhaps they're annoyed because their workplace or a service requires frequent changes. I know I always am.

Stop feeling guilty! The experts told us years ago to quit making regular password changes. It's time we listened. As long as your password is already reasonably strong and unique to every site and service, changing it frequently is not much help to you.

Unless it's compromised in a data breach, of course. Then change it immediately.

Alas, You Can't Fight Forced Password Changes

This good advice won't stop certain entities from forcing you to change your password. Your boss or bank may take persuading to cease showing that dreaded "Please enter a new password to continue" message every few months. There's not much you can do about that. They're paranoid, and for good reason, as 81% of data breaches have been traced to poor passwords.

But the keyword there is poor. You can and should make passwords that are strong and unguessable. We have tips for memorizing them.

Institutions that require changes probably won't let you reuse a password either, even if it's the strongest you've ever created. They're probably also going to continue limiting the size and requiring special characters; they may not even allow a passphrase, which is extra secure, because it's longer. (Yes...size matters.)

Sorry. We can't change your company or financial institution's policies.

Just remember: If you have a really good password for a service or account, if you're not forced to change it, you can probably keep it for life (until there's a breach). Just ensure it's long, strong, and unique.

About Our Expert

Eric Griffith

Eric Griffith

Senior Editor, Features

My Experience

I've been writing about computers, the internet, and technology professionally since 1992, more than half of that time with PCMag. I arrived at the end of the print era of PC Magazine as a senior writer. I served for a time as managing editor of business coverage before settling back into the features team for the last decade and a half. I write features on all tech topics, plus I handle several special projects, including the Readers' Choice and Business Choice surveys and yearly coverage of the Best ISPs and Best Gaming ISPs, Best Products of the Year, and Best Brands (plus the Best Brands for Tech Support, Longevity, and Reliability).

I started in tech publishing right out of college, writing and editing stories about hardware and development tools. I migrated to software and hardware coverage for families, and I spent several years exclusively writing about the then-burgeoning technology called Wi-Fi. I was on the founding staff of several magazines, including Windows Sources, FamilyPC, and Access Internet Magazine. All of which are now defunct, and it's not my fault. I have freelanced for publications as diverse as Sony Style, Playboy.com, and Flux. I got my degree at Ithaca College in, of all things, television/radio. But I minored in writing so I'd have a future.

In my long-lost free time, I wrote some novels, a couple of which are not just on my hard drive: BETA TEST ("an unusually lighthearted apocalyptic tale," according to Publishers' Weekly) and a YA book called KALI: THE GHOSTING OF SEPULCHER BAY. Go get them on Kindle.

I work from my home in Ithaca, NY, and did it long before pandemics made it cool.

The Technology I Use

My first computer was a Laser 128, an Apple II-compatible clone with an integrated keyboard, matched with an eye-straining monochrome green monitor. I used it to type papers in college for other people for money...until I discovered the Mac SE in the college computer room. That changed my life. My first cellphone was a Samsung Uproar—the silver one with the built-in MP3 player from the Napster days (the pre-iPod era).

I use an iPhone 15 Pro hourly and an iPad Air infrequently (but I'm always in the market for a cheap Android tablet). I have a PlayStation 5 just to play Spider-Man, and several Windows machines, including a work-issued Lenovo ThinkPad. I talk to Alexa and Siri all day long. I do the majority of my computing on a 15-inch LG Gram laptop attached to a Thunderbolt hub to run a multi-monitor setup—I overdid it on the power needed to simply work from home.

I'm most at home in Microsoft Word after decades of writing there. More and more, I turn to services like Google Docs, using tools like Grammarly. I use Google's Chrome browser due to an addiction to several extensions I think I can't live without, but probably could. I use Excel extensively on data-intensive stories, but for chart creation, we've switched over entirely to using Infogram for interactive features that are hard to find elsewhere. I do a lot of graphics work for my stories, but limit myself to the free and amazing Paint.NET software to edit images.

I'm a firm evangelist for using the cloud for backup and syncing of files; I'm primarily using Dropbox, which has never failed me, but I also have redundant setups on Microsoft OneDrive, plus extra picture backups on Amazon Photos and iCloud. Why take chances? For entertainment, mine is a streaming-only household—my kid has never seen network TV and barely been exposed to commercials, thanks to Roku and Amazon Music. The house is peppered with smart speakers from Amazon for instant gratification and control of smart home devices like multiple Wyze cameras and Nest Protect smoke detectors. I've got accounts on all the major social networks, to my horror. I have a robot vacuum for each floor of the house. I want a 3D printer, but not sure what I'd use it for.

Read the latest from Eric Griffith

Read full bio