Passlock

How Often Should You Change Your Passwords?

Password Basics2 min read

For years, IT departments forced everyone to change passwords every 30, 60, or 90 days. That rule felt responsible, but research — including updated guidance from major security standards bodies — has concluded it actually weakens security. Here is the modern view: change a password when there is a reason to, not on a schedule.

Why forced rotation backfires

When people are forced to change a password regularly, they do not invent a fresh strong one each time. They make small, predictable tweaks: "Spring2025!" becomes "Summer2025!" becomes "Autumn2025!". Attackers know this pattern and exploit it. Frequent forced changes also push people toward simpler passwords they can remember through the churn, and toward writing them down insecurely. The net effect is weaker passwords, not stronger ones.

When you genuinely should change a password

Rotate a password immediately when any of these is true:

  • The service was breached. If a site you use announces a breach, change that password right away. See what to do after a data breach.
  • The password appeared in a leak. Check with the password leak checker; if it shows up, retire it.
  • You reused it. If you discover a password is shared across accounts, give each account its own. See how to stop reusing passwords.
  • You shared it. If you gave a password to someone and the sharing arrangement ends, change it.
  • You suspect compromise. Unexpected login alerts, password-reset emails you did not request, or malware on your device all warrant an immediate change.
  • It is weak. If an old account still uses a short or guessable password, upgrade it.

What to do instead of scheduled changes

Replace the calendar habit with a stronger foundation:

  1. Use unique, strong passwords everywhere. A breach of one site then never threatens another, so there is no need for blanket rotations.
  2. Turn on two-factor authentication for important accounts, so a leaked password alone is not enough to get in. See 2FA vs password manager.
  3. Monitor for breaches rather than guessing. Let the data tell you when to act.

Where Passlock fits

Passlock stores your passwords in the macOS Keychain and works offline, so generating a fresh unique password when you actually need to change one takes seconds. And because every password is already unique, you are spared the pointless mass rotations the old advice demanded. Interestingly, Passlock also lets you lock a password on purpose — for example, sealing a social account behind a timed lock — which is a deliberate change of access, not a security rotation, but a useful reminder that "when to change access" should always be driven by intent, not by a calendar.

Frequently asked questions

Should I change my passwords every 90 days?

No. Modern security guidance recommends against scheduled rotation because it leads to weaker, predictable passwords. Change a password when there is a specific reason, such as a breach.

When must I change a password immediately?

Change it right away if the service was breached, the password appeared in a known leak, you reused it, you shared it, or you suspect your account was compromised.

Keep reading

What to Do After a Data Breach: A Step-by-Step Guide

A breach notice is unsettling, but a clear sequence of steps limits the damage. Here is exactly what to do.

How to Tell If Your Password Was Leaked

Billions of passwords sit in breach databases. Here is how to check whether yours is one of them — without exposing it.

9 Common Password Mistakes (and How to Fix Each One)

Most account breaches trace back to a short list of avoidable habits. Here they are, with the fix for each.