Are Frequent Password Changes Actually Good for Your Security?

Dan Price 08-02-2018

How often do you change your password How to Change Your Password on Any Desktop or Mobile Device Your password is the only thing standing between a stranger and your most private data. When was the last time you updated your device password? We show you how to change it right now. Read More ? We bet some of your credentials are more than a decade old.


In fact, most of us only change our passwords when a situation forces us to. Typically, that’s either when you can’t remember it, or an app or your company forces you to create a new one every few months.

So, which approach is right? Should you leave your password untouched for years, or should you change it as often as the seasons? Here are the pros and cons of changing your password too frequently.

It Makes Your Account (a Tiny Bit) More Secure

The generally received wisdom is that changing your password frequently makes your account more secure Is Your Yahoo Mail Account Safe? 10 Ways to Stay Secure Here's how to secure your Yahoo account with the most important Yahoo security tips. Read More .

The argument suggests that if you’re the unwitting victim of a leak Check Now and See If Your Passwords Have Ever Been Leaked This nifty tool lets you check any password to see if it's ever been part of a data leak. Read More , changing your password regularly can quickly negate the details that a would-be hacker has on file.

Similarly, if someone gains access to your password without your knowledge, it prevents the person snooping on you for an extended period. It’s why IT Managers around the country are so obsessed with foisting forced resets on you every couple of weeks.


Is the argument valid? Yes, but it’s not as clear-cut as you might expect. Even on the assumption that your new passwords are as strong as the previous ones (more on that shortly), the practice has minimal benefit.

In a Carleton University paper, the researchers explained that attackers who have access to a hashed password file can perform attacks while offline. They can, therefore, test large numbers of passwords in a short amount of time. Weak- and medium-strength passwords are at risk.

The paper goes on to mathematically prove that even frequent strong password changes only hampered the attacks a negligible amount. The benefit is almost certainly not worth the inconvenience it brings to users.

Instead, the paper recommends that system administrators should use slow hash functions such as bcrypt. Users would not be inconvenienced, and the process makes it harder for attackers to guess a large number of passwords quickly.


Your New Password Is Likely to Be Insecure

I’m sure you don’t need us to tell you how to create a strong password, but the information is always worth repeating:

  • Your password should use a mix of letters and numbers.
  • It should use some uppercase and some lowercase letters.
  • Ideally, it should contain special characters.
  • It should be more than 12 characters long.

Those four points are easier said than done. Creating passwords that fulfill all the requirements — and then remembering them — takes a lot of mental energy.

So, what happens when people change their credentials too frequently? In short, they get lazy.


Again, it’s a scientifically proven phenomenon. In 2010, researchers at the University of North Carolina released a paper titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.” In it, they studied password histories from defunct accounts at the university.

The study looked at more than 10,000 old accounts and 51,141 passwords. The researchers performed an offline hash attack and ultimately cracked 60 percent of the credentials. From the 60 percent, 7,752 passwords were not the final password used on the account.

They then used that data set to see if they could extrapolate other passwords connected to the account. The results were amazing. In 17 percent of cases, the next password used on the account could be guessed in under five seconds.

But why? The study concluded that people tended to make very minor alterations when changing a password frequently. For example, Sausage123 might become $ausage123, hellocheese! would become hellocheese!!, and so on.


When Should You Change Your Password?

At the start, I joked that you probably have some passwords which are approaching their tenth birthday. But is that a joke?

The evidence we’ve looked at so far appears to suggest long-standing passwords might actually be a good thing. What’s the truth? You just need a bit of common sense.

Of course, if you suspect someone is accessing your account How to Check if Someone Else Is Accessing Your Facebook Account It's both sinister and worrisome if is someone has access to your Facebook account without your knowledge. Here's how to know if you've been breached. Read More without your authorization, you should change your password. If you think someone was watching when you were entering your online banking credentials, you should change your password. If you had to “loan” your password to someone, you should change it.

And if you think you’ve accidentally become the victim of a phishing scam Don't be a Victim of These Common Phishing Attacks Read More , you should change your password.

In all cases, you need to make sure your new password has no resemblance to the old one. Don’t use the same core word. Don’t put the same special characters in the same positions. And don’t try something like writing your old password backward.

And remember, you should also change your password across any other accounts with use similar credentials. For example, if your Facebook password is flowerpot1 and your Twitter password is 1flowerpot, you should change them both.

If you’re not sure, just follow the four fundamental guidelines we discussed earlier in the article when you make a new password.

What About Forced Password Resets?

But what about forced password resets? Is it a good idea for an app or your employer to force a new password upon you? Probably not.

In 2009, The National Institute of Standards and Technology said regular password changes were “beneficial for reducing the impact of some password compromises,” but were “ineffective for others.” And, of course, users were frequently left frustrated by the forced change. Companies need to reach a compromise between security and usability.

The Bottom Line

The arguments might sound complex, but they are easy to summarize.

  • User-initiated frequent password changes might make users marginally more secure, providing the new password is highly robust.
  • Enforced frequent password changes often have a negative effect, with users choosing less secure credentials.

Now we want to hear your thoughts on the debate. Are you confident in your ability to choose a secure password on a regular basis? Or are you happy using a decade-old password on all your accounts?

Remember, if you do frequently create complicated new passwords, you use a password manager app like LastPass. You won’t need to recall the passwords yourself.

Related topics: Online Security, Password.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. m-p{3}
    February 9, 2018 at 7:39 pm

    I believe there's a balance to achieve, and that there should be some considerations to take when implementing some kind of password expiration policies.

    Forcing a user to change a password too frequently and they'll get annoyed by the system and choose weak passwords or go against some policies (writing it down on a post-it, etc).

    Forcing a more complex password, with a longer expiration date (ie: 6 months, a year, etc) would be IMO safer. If possible, give more options to a user regarding their security, like giving them the option to have a longer expiration date (2 or 3 years) / no expiration date if they use a 2FA solution.

  2. dragonmouth
    February 8, 2018 at 10:48 pm

    Following this reasoning to its logical conclusion, one-time passwords are the way to go. Of course, if one has dozens or hundreds of accounts, even with the help of a password generator and a password manager, one would spend most of the time changing passwords, rather than accessing those accounts.

    The irony of this fixation on passwords and changing them is that there are two ends to be protected. We, as individuals, can create and maintain bullet-proof passwords to secure our end.. However, if the bank, the shopping site, the credit bureau and anybody else we have an account with does not secure their databases properly, the data will be compromised anyway. In the Equifax breach 140 million records were "stolen". Not one of those 140 million individuals had any choice in what records were collected by Equifax. Neither did they have any say in how well or how badly those records were secured.

    Speaking of changing passwords and such. I use an anonymizing service to provide me with a one-time email address. MakeUseOf will not allow me to use a masked email address. It insists I provide my real one. I have not encountered any other site that does that. It seems that MUO is contributing to the INsecurity of the Internet.