Are password changes necessary?

Security 4. January 2017

We often hear and read that regular password changes increase security. Many companies also force their employees to do this. But does this really lead to more security?

At first glance, it seems to make sense to change passwords regularly. However, a closer look reveals that this is a fallacy. There are two simple reasons for this:

A password does not become more secure if it is changed regularly: It takes a certain amount of time to crack a good password, which is primarily determined by the available computing power. For a good password, that’s millions of years.
Users who are forced to change a password regularly tend to use simple passwords or stick the password on a post-it to their screen (you won’t believe how often we actually encounter this!).

Test now!

Test here how long it would theoretically take to crack your password.

Forced password changes are therefore counterproductive and in practice reduce password security instead of increasing it.

However, sometimes there are valid reasons to change a password! Change your passwords immediately if…

… your current password is too simple (see box).
… you suspect (gut feeling is enough) that a password has been cracked or stolen.
… you have told your password to someone or written it down on an easily accessible piece of paper.
… you use the same password in several places.