We all get reminded to change our passwords frequently, and some of us w*rked in places where a change was required every XX days no matter what. At the same time, most of us thought very little of the practice, and now we can say that it's officially a bad idea.
The National Institute of Standards and Technology (NIST) has now come out saying those enforced frequent changes are definitely a bad idea and has issued new guidance saying organizations shouldn't do it.
Similarly, the UK's National Cyber Security Centre (NCSC) said in a report that "Regular password changing harms rather than improves security.... The user is likely to choose new passwords that are only minor variations of the old."
There are a number of ways to improve online security (passkeys, 2FA, password managers, etc.) but routinely changing your password isn't one of them.
The National Institute of Standards and Technology (NIST) has now come out saying those enforced frequent changes are definitely a bad idea and has issued new guidance saying organizations shouldn't do it.
Similarly, the UK's National Cyber Security Centre (NCSC) said in a report that "Regular password changing harms rather than improves security.... The user is likely to choose new passwords that are only minor variations of the old."
There are a number of ways to improve online security (passkeys, 2FA, password managers, etc.) but routinely changing your password isn't one of them.