A common security measure that institutions push is to force users to frequently change their password. When discussing this with my bank recently, they simply said “For security purposes, we require you change your password every 90 days.“
For security purposes, that’s not a helpful thing to do.
Microsoft calls periodic password changes “ancient and obsolete” and the FTC is not encouraging it either. So what should you do?
Well, sometimes change it
There are some cases when you indeed should change your password, most notably when you are concerned that it may have been compromised. For example, go check out have i been pwned to see where your accounts may have been hacked. Forcing users to change their passwords every 90 days is silly, but changing your password when it may have been exposed is crucial.
Protect it
The bigger issue for a lot of folks is the strength of their passwords. If you can remember your password, it’s probably not strong enough. Perhaps more importantly is that you shouldn’t use the same password for multiple accounts. Thankfully, there are easy solutions to this with products such as LastPass, Dashlane or others that have free versions (and paid versions for under $5/mo). Let those system create super complex passwords, and then they help you pull them in the moment you need them.
It’s impossible to stay completely secure online, which is why things like backups are so important. That said, it’s foolish to be lazy with your security, and passwords are a pretty easy thing to keep strong. Use a password manager to create long, unique passwords for every account you have, but don’t waste your time changing your passwords unless you have a reason to do so.
