Most people should change a password only after a breach, reuse, phishing scare, or shared access—not on a fixed monthly schedule.
For years, people were told to swap passwords every 30, 60, or 90 days. That rule stuck around long after better advice took over. Today, the smarter move is risk-based: keep each password long, unique, and stored in a password manager, then change it when there’s a real reason.
That shift matters because forced resets often backfire. People who must change passwords on a timer tend to make tiny edits—adding a new number, swapping one symbol, or rotating through a short list they already know. That makes passwords easier to predict and harder to manage. A good password that stays unique is often safer than a weaker one that changes on a calendar.
If you want the plain answer, here it is: don’t change every password on a fixed schedule unless your workplace policy says so. Change them when risk shows up. That means a data breach, a phishing attempt, account misuse, password reuse, shared access, or a device compromise.
Why The Old 90-Day Password Habit Faded
The old habit came from a simple idea: if a password gets stolen, a fresh one cuts the thief off. That sounds tidy. In real life, people don’t behave like tidy policy manuals. They pick shorter passwords, reuse old patterns, and forget which account got which tweak.
That’s why current guidance leans away from routine expiration for ordinary accounts. NIST’s digital identity FAQ says password change rules can push users toward predictable choices, which weakens security. Microsoft says much the same for cloud-only accounts and recommends setting passwords to never expire when stronger controls are in place.
This doesn’t mean “set it and forget it.” It means the calendar is a poor trigger. Real-world signals are better. If nothing points to trouble, a strong unique password can stay put. If something smells off, change it right away.
What matters more than frequent changes
- A different password for every account
- Enough length to resist guessing
- A password manager to store and create logins
- Multi-factor authentication on email, banking, shopping, and work accounts
- Alerts for strange sign-ins or security changes
If you miss those basics, changing passwords every month won’t save you. If you nail them, you won’t need routine resets for most personal accounts.
How Often Should I Change My Password? At The Right Moments
The best timing is event-driven. You change a password when there’s a clear signal that the old one may no longer be safe. That keeps the job simple and cuts down on weak replacements.
Change it right away after a breach
If a site announces a breach, don’t wait. Change that account’s password at once. If you reused the same or a similar password anywhere else, change those too. Reuse turns one breach into a chain reaction.
Change it after a phishing scare
Clicked a bad link? Typed your password into a page that looked odd? Change that password right away, then review recent account activity. Email should be first on your list because it can reset other accounts.
Change it if someone else had access
Shared a streaming login with a former roommate? Gave a password to a staff member who no longer needs it? Reset it. Shared access is fine until it isn’t, and old logins have a habit of lingering.
Change it if your device may be compromised
A stolen phone, malware pop-up, unknown browser extension, or remote-access scam can put saved passwords at risk. Clean the device first, then rotate the logins that matter most.
Change it if it’s weak or reused
Even if nothing bad has happened yet, weak passwords deserve an upgrade. Single words, names, dates, short patterns, and reused logins should be replaced with stronger ones. CISA’s password advice also points people toward password managers and long, unique passwords for each account.
When Routine Password Changes Still Make Sense
There are cases where fixed reset schedules still show up. Work systems sometimes use them because of older software, compliance rules, shared admin accounts, or sync with on-premises tools. In those cases, follow the policy you’re given. Your employer may be balancing risks you can’t see from the outside.
Routine changes can also make sense after a one-off event. Say you’ve just removed malware from your laptop, or you found an old reused password in a browser vault. You might rotate a batch of accounts in one sitting, then return to event-driven changes after that cleanup.
One more exception: if a service forces a reset after suspicious activity, don’t fight it. Change the password, sign out other sessions, and turn on MFA before you move on.
| Situation | Should You Change It? | What To Do Next |
|---|---|---|
| Known data breach on that site | Yes, right away | Change it there and on any account that used the same or a close match |
| You reused the password elsewhere | Yes | Replace every reused login with a different one |
| Phishing link or fake sign-in page | Yes | Change the password, review account activity, turn on MFA |
| Shared access is no longer needed | Yes | Reset the login and sign out old devices or sessions |
| Password is long, unique, and no risk signs appear | No fixed reset needed | Keep MFA on and watch for security alerts |
| Work policy says 60 or 90 days | Yes | Follow policy, then make the replacement long and unique |
| Stolen phone or infected computer | Yes | Secure the device first, then change your main logins |
| Old weak password with names, dates, or patterns | Yes | Swap it for a stronger password or passphrase |
What A Strong Password Looks Like Now
Strength isn’t about stuffing in odd symbols until the password turns unreadable. Length and uniqueness do more of the heavy lifting. A long passphrase made of unrelated words is easier to live with than a short, complex-looking string that gets reused all over the place.
Microsoft’s current admin guidance recommends a 14-character minimum for stronger security and warns that forced password changes can push users toward weaker choices. You can read that in Microsoft’s password policy recommendations.
Good password habits that hold up
- Use a password manager to generate and store passwords
- Make every password different
- Turn on MFA for your email first, then banking, shopping, and social accounts
- Use account alerts so you hear about strange logins fast
- Review saved passwords once in a while for duplicates or weak entries
Your email password deserves extra care. If someone gets into that one account, they can reset many others. Treat it like the front door, not a side gate.
How To Decide Which Accounts Deserve Attention First
If you’ve got dozens or hundreds of accounts, don’t freeze up. Start with the ones that can do the most damage if taken over. Then work down the list. A short, calm sweep beats panic-resetting every login you’ve ever made.
Start with these accounts
- Email accounts
- Banking and payment apps
- Cloud storage and phone account logins
- Work accounts and password manager vaults
- Shopping sites with saved cards and addresses
Then move to social accounts, streaming services, forums, and old sites you rarely touch. If an old account still has card details, home address data, or message history, it belongs higher on the list than you might think.
| Account Type | Priority | Reason |
|---|---|---|
| First | It can reset many other accounts | |
| Banking and payment apps | First | Direct money risk |
| Password manager | First | One vault can expose many logins |
| Work and school accounts | Second | May include sensitive files and admin access |
| Shopping sites with saved cards | Second | Stored payment and address data |
| Social and messaging apps | Third | Fraud, impersonation, and contact scams |
Common Password Mistakes That Create More Work
One mistake is changing a password but leaving old sessions active. If the service gives you a “sign out of other devices” option, use it. Another is resetting the password but leaving MFA off. That’s like changing the lock and leaving a window open.
People also burn time chasing complexity while ignoring reuse. Reuse is the trap. A fancy-looking password used on five sites is a weak setup. One breach can spill into four more accounts in minutes.
Another snag is storing passwords in places that are easy to snoop on, like plain notes, unprotected spreadsheets, or old emails. A password manager is cleaner and easier to maintain. It also makes routine security checks less painful.
A Simple Rule You Can Stick With
Don’t change passwords on autopilot. Change them when risk appears, and make the replacement long, unique, and stored in a password manager. Put MFA on the accounts that matter most. That mix beats the old timer-based habit for most people and most personal accounts.
If your employer or a service has its own reset policy, follow it. Outside that, let real warning signs—not the calendar—tell you when it’s time.
References & Sources
- National Institute of Standards and Technology (NIST).“NIST SP 800-63 Digital Identity Guidelines FAQ.”Explains why routine password expiration and strict composition rules can push users toward weaker, predictable passwords.
- Cybersecurity and Infrastructure Security Agency (CISA).“Use Strong Passwords.”Recommends long, unique passwords and password managers for safer account protection.
- Microsoft Learn.“Password Policy Recommendations for Microsoft 365 Passwords.”States that current guidance discourages routine password expiration for cloud-only accounts and recommends stronger password practices instead.