A: Actually, changing passwords on a routine basis is very old school, and is no longer mentioned in any US government cybersecurity guidelines.

What was found is that the more often people are forced to change their passwords, the sloppier they became with password creation – making passwords that were easier and easier to hack.

The current guidelines are to:

  1. All passwords should be strong. That definition changes by which authority you ask – typically 8 or 16 (and sometimes more).
  2. Every site and service should have its own unique strong password.
  3. Passwords should be securely stored. Having passwords written on a post-it note on the bottom of ones keyboard does not meet the criteria. This is where the power of a quality password manager (PM) comes in. A PM will automatically create very strong passwords, store them encrypted form on your device. The better ones will allow you to share your passwords among all of your browsers and devices. My favorite – Bitwarden – also serves as your 2-Factor Authentication software.
  4. Whenever possible, use 2-Factor Authentication.
  5. You only need to change your password when it may have been compromised. A good place to check this out is https://haveibeenpwned.com.