Hand holding a phone. There's a speech bubble with a question "Change password?" above the hand with a phone.

Passwords have been the bane of user existence since the first non-IT-nerd user had to make up one. To add insult to injury, just creating a password isn’t enough — you have to change them from time to time. But how often do you actually need to change your password? Once a year. That’s the answer Surfshark’s Information Security Officer gave us. If you need more than that, read the rest of the article.

Table of contents

    How often should passwords be changed?

    Changing your passwords once a year is enough. But don’t take it from me — take it from the Surfshark Information Security officer.

    Quoth the subject matter expert: 

     

    “Frequent password changing is overrated. It’s not a recommended practice. NIST [National Institute of Standards and Technology at US Department of Commerce] released their Digital Identity Guidelines 800-63-3, which state that increasing password complexity is better than simply changing it. That’s because frequent password changes encourage the user to reuse the same password by just changing a symbol or two. This does not present a significant challenge to hacking. 

    I’d say you should change your passwords once a year.”

    And there you have it. You don’t need to change your passwords regularly. As long as the circumstances don’t require otherwise, there’s no need to change your password more often than once a year

    When should you change your password?

    There are external circumstances that should compel you to change your password more than once every 365 days, all of them unpleasant. 

    You should change your password immediately if:

    1. Your login data appeared in a data breach: collections of login credentials that hackers gained via a website or service breaches appear all the time, so if your password is on one of those, you need to change it. To keep abreast of such cybersec discoveries, it’s best to employ a service like Surfshark Alert, which will notify you if your credentials appear in a newly discovered breach.  
    2. You have been phished: phishing, in its many forms, is a scam where an appearance of legitimacy is used to trick you into giving away your sensitive information. So if you’ve fallen victim to one, you should change your password immediately.
    3. You detected malware on your device: while ransomware is probably the hottest new malware trend, any malware has the potential to steal your login data — including passwords. Change all of them immediately upon detection. 
    4. You shared your account with someone: we all want to share our accounts with our spouses, friends, and so on. But people may not stay in relationships forever, and if one of them ends, so has the lifespan of the password. Don’t leave your accounts in the hands of former associates. 
    5. You have a weak password: just because your password isn’t on the Top 10 Worst Passwords list doesn’t mean that it’s not bad. Change it into something stronger that follows password creation guidelines. 
    6. You have repeated a password: using the same password on multiple websites/services/accounts may seem tempting, but it’s also a huge security risk. If one of those gets breached, all of them are imperiled. So if you have the same password on multiple sites, it should be changed immediately. 
    7. You logged in at a public space: whether it’s using a device you can’t verify the security of or an unsecured Wi-Fi network, you have put your passwords and accounts at risk. Change your passwords as soon as you have access to a safe device and a secure connection. 

    There sure are a lot of dangers from unsecured communications out there, so make sure to always have good, secure passwords. But those are not just empty words; we also have advice on the subject!

    How to create a good password

    There’s more to crafting a good password than just not using 12345678 for it. Luckily for you, the tips for it are easy and plentiful. 

    1. A good password is at least 12 symbols long — security experts almost agree on that one; some advise going up to 14 characters. 
    2. Mix symbols, numbers, upper- and lowercase letters — so, you know, something like sOP3&(2aU398. Do not use that example as a password. 
    3. Do not use words or combinations of words — a dictionary attack is a brute force attack where the hacker uses a computer to run a dictionary until it guesses the password. So a single word is bad, a combo of words is less-but-still-bad, and an obvious combo is back to bad. 
    4. Avoid obvious substitutions — if you’re hell-bent on not listening to us and still use a word, don’t make obvious letter-to-number substitutions. “Fatal1ty” isn’t going to trick hackers for long. 
    5. Use international UTF-8/UTF-16 letters — if you’re not an English speaker, try to pepper some of your native language with that special keyboard you downloaded. At least a single Ą or Č will improve password complexity a lot. 
    6. Use multi-factor authentication — you’ve probably already heard of 2FA — two-factor authentication — and with good reason. If you’re only protected by your password, the hackers only need to steal that. But if you have to log in with a password and then verify the login on your phone, then the hackers have to gain access to your phone as well, which is much harder to accomplish. So use 2FA!

    Now, your new password might look scary at this point, but there are ways to make this all work for you. Some of the said ways are described in the section below!

    How to keep your passwords safe

    No password is safe if you lose them. To prevent your passwords from falling into the wrong hands, you can use the following methods:

    1. Use a password manager: I’m starting out with this one so that you wouldn’t be intimidated by the following steps; if you have a password manager, you’ll only ever need to remember ONE password — the one for the manager. For more information on the subject, we have an article on how safe password managers are
    2. Never use the same password twice: if you use the same one on two different websites, only one must be breached to compromise both of them. And the more websites you use repeating passwords on, the more likely it is that one will get breached and leak your data. 
    3. Use a VPN when using public Wi-Fi: public Wi-Fi hotspots may simply be unsecured, compromised, or even faked to capture your data. But if you use a VPN, any stolen data will be unreadable to the hackers, and thus your passwords will be safe. 
    4. Never tell anyone your password: it generally applies to friends, relatives, and strangers. Most of all, remember that no company or organization will ever really ask for your password: they already have the ways to access the necessary data, so anyone asking for your password is a scammer.

    In conclusion: be smart about changing your passwords

    Making sure your passwords are secure is a great treat you can give yourself. With data breaches happening left and right and phishing rampant, it pays off to invest in your security. So get a password manager now… and then consider getting Surfshark Alert to get warned if your passwords get leaked.

    Have someone keep an eye on your logins

    Get Surfshark Alert

    FAQ

    How often should you change your Apple ID password?

    According to all best practices, you should change your Apple ID password once a year. 

    One caveat: if you’re phished, experience a data breach, or detect malware on your devices, you should change the password immediately.

    How often should you change your Gmail password?

    Our security expert says that you should change your Gmail password every year. The only reason to change your password more often is if it was revealed in a data leak, you were caught in a phishing scam, or you found malware on your device. 

    How often should you change your email password?

    According to the data available to our security specialists, you should change your email password once a year. However, if you have experienced a data leak of any sort, you should change it immediately. 

    How often should you change your Amazon password?

    It is recommended by internet security specialists to change your Amazon password once every year. The one exception is data leaks: if you have been hacked, phished, infected with malware, or your data has appeared online via a data breach, change your password immediately. 

    How often should you change your PayPal password?

    You don’t need to change your PayPal password more than once in twelve months. 

    However, you have to keep in mind that you may be forced to do so more often if your data has been exposed via a leak or hack.