How often should you change your password?

For decades, IT departments forced password changes every 60 or 90 days. The thinking was simple: if a password leaks, regular rotation limits how long an attacker has access. The thinking was wrong.

Modern guidance from NIST, Microsoft, and the UK's National Cyber Security Centre all converges on the same answer: stop forcing rotation. The actual rule is more nuanced and easier to follow.

Why forced rotation made things worse

When users are required to change passwords every few months, predictable behaviour follows. They make small modifications: Spring2024! becomes Summer2024!, then Fall2024!. The new password is no harder to crack than the old one. Often it is easier, because the change is so predictable.

NIST studied this and found that forced rotation produces:

• Predictable variations attackers can guess from the old password.
• Weaker root passwords, because users want them easy to modify.
• More passwords written on sticky notes, because the human cannot remember dozens of small variations across dozens of services.

In 2017, NIST formally retired the forced rotation requirement in SP 800-63B. The 2024 update reinforced it. The current guidance is to require a change only when there is evidence of compromise.

What the modern rule actually is

Change a password when one of these is true:

1. The password has been in a breach. Any password exposed in a leak is permanently compromised. Change it everywhere it was used.
2. You suspect unauthorized access. A login from an unknown device, an unexpected email about account activity, anything that does not match your behaviour.
3. You shared the password with someone, even temporarily, and that sharing has ended.
4. You used the password on a shared or public computer where keylogging is a risk.
5. The account itself stores something newly sensitive, and the existing password no longer reflects the level of protection needed.

Outside those triggers, a strong unique password can stay in place for years.

What about old corporate policies?

Many Canadian workplaces still enforce 60 or 90 day password rotation, often because the policy was set years ago and never updated. If you can change the policy, the modern best practice is:

• No mandatory expiry on user passwords.
• Block known weak and breached passwords at the time of creation.
• Require multi factor authentication for sensitive systems.
• Trigger a forced reset only when a compromise is detected.

Microsoft, Google, and the FIDO Alliance all align on this approach. Canadian organizations regulated by PIPEDA or Quebec's Law 25 can adopt these patterns and still meet their obligations to maintain reasonable security safeguards. The Privacy Commissioner of Canada looks for safeguards proportional to the sensitivity of the data, not for evidence of arbitrary rotation rules.

Specific scenarios

Email password

This is your single most important credential. If it is strong, unique, and protected by two factor authentication, change it only when there is reason to. Once a year is fine if you want a routine; more often is unnecessary.

Banking password

Same logic. Strong, unique, MFA on. Most major Canadian banks now require multi factor by default, which significantly reduces the value of forced rotation.

Social media password

Treat it like your email. If anything strange shows up in your account activity log, change immediately. Otherwise, leave it.

Password manager master password

This is a special case. The master password unlocks everything else. Change it if you have any reason to suspect compromise, or if you have used it on an untrusted device. Some users rotate the master annually as a precaution. Reasonable, but not required.

Work passwords with a forced expiry

If your employer requires rotation, do not fight it from your desk. Comply, but try to set the new password to something genuinely fresh, not a tiny variant of the old one. Use your password manager to track which password is current.

Why this is good news

The traditional rotation policy was a tax on users. Doing the right thing took real effort. The modern policy is far easier to follow. Set a strong unique password once, store it in your manager, turn on MFA, and walk away.

The energy you used to spend rotating passwords is better spent in three places:

1. Adopting a password manager if you have not yet. Our manager guide walks through the options.
2. Turning on two factor authentication on every account that supports it. We cover the types in what is 2FA.
3. Running a one time check across your accounts to find any password already exposed in a breach. The instructions are in how to check if your password has been leaked.

Those three things together are vastly more effective than rotating Password1! to Password2! every quarter.

The takeaway

The advice you grew up with is outdated. Forced rotation made passwords weaker, not stronger. The modern rule is simple: change when something has changed, not on a calendar.

If you stop rotating without compromise, you save time. You also stop training yourself into predictable patterns. The new habit is to use a strong unique password per account, store it in a manager, and leave it alone unless something gives you a reason to act.

For most users, that means changing a handful of passwords per year. Some years, none at all. That is what good security actually looks like.