
Ask HN: Should I change my passwords frequently? - czatt
That seems to be the general guidance (my company forces us to change our system passwords every 60 days), but I am unsure why this is the case. If someone were to bypass &#x2F; obtain my password, couldn&#x27;t they do it immediately? If changing passwords is helpful, how frequently should you do it to be effective?
======
viraptor
Changing credentials is helpful if you assume they're compromised every once
in a while. These days if a unique and random password is used for each
service and/or with 2fa enabled, that assumption is not that great anymore.
Adding to that the fact that most people will just add "1" or the current year
at the end, it makes updating the password much less useful - it will only
stop completely trivial malware.

The recommendation has actually changed in high level policies relatively
recently: [https://nakedsecurity.sophos.com/2016/08/18/nists-new-
passwo...](https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-
rules-what-you-need-to-know/)

------
barneythedino
No.
[https://securityboulevard.com/2019/03/nist-800-63-password-g...](https://securityboulevard.com/2019/03/nist-800-63-password-
guidelines/)

------
earpwald
Changing passwords frequently leads to trends in password reuse. Ie increasing
1 to 2 and then to 3 etc.

Best password is a long random words password as explained by xkcd!

