How Often Should You Change your Password?

When is the right time to change passwords? In the world of password security there seems to be a “Goldilocks” paradigm. Tech experts who once believed that changing passwords should be done often, have now begun to trend toward the idea that changing too regularly can be counterproductive. So what is the “Goldilocks” window of password protection?


In the not-to-distant past, tech experts raved that “best practices” of password security included changing passwords fairly often. Some websites and companies required changing passwords every 30-42 days. In fact, the Windows server defaults at 42 days. So that means that every month or so employees must create and remember a new password for each account in order to gain access. While this may limit how long a stolen password could be useful to an online attacker, it is mostly seen as a frustration to employees who must resort to remembering a new combination of letters, numbers, and special characters.


Now there seems to be a trend toward the idea that changing passwords often causes a loss in productivity with minimal security benefits. The National Institute of Standards and Technology (NIST) cites multiple studies stating that changing passwords every 30 days is counterproductive to the end goal, namely creating secure access to business data, files, websites, and servers. The research has shown that workers many times forget the new passwords, change them to something similar, or make silly mistakes such as using sticky notes on their laptop to remember the newest password. Instead of changing passwords based on a calendar, here are some suggestions for making your passwords more secure, regardless of when you change them.


  • Use Two-Factor or Multifactor Authentication for stronger security. By using several forms of authentication, security is even tighter. While it may take an extra minute or two to wait for a code to be sent to your phone or email, the security is worthwhile if there is sensitive data that you do not want in the hands of a hacker.
  • Use a password manager to create, store, share, and manage your passwords. Popular managers include: LastPass, DashLane, and 1Password.
  • Use biometrics when possible including: fingerprint access, retinal scans, voice recognition, and touch security.
  • Stop using shared passwords for all of your accounts that would allow a hacker complete access. If s/he can crack one code, that means they have them all.
  • Change out all default passwords.
  • Add complexity to your passwords including passphrases.
  • Avoid dictionary words that can be easily discovered.
  • Never store your passwords on your computer or phone.
  • Use a lockout feature to block someone who tries to access your system after three tries.
  • Change passwords if there has been a recent firing or layoff at your business.
  • Never share your passwords over email or write them down and store in a file.


Does your business need help with security or password management? Call Spectra Networks at 978.219.9752, or visit our website at Spectra Networks to stay on top of your security issues.