When Should You Change Your Passwords—and How Often?

(Credit: Getty Images/anyaberkut)

You don’t need to update your passwords constantly to be secure online—but in a few specific instances, you should change your passwords immediately.

By Kim Key

October is Cybersecurity Awareness Month. In the spirit of the See Yourself in Cyber campaign, it’s time to take a moment to update your online safety toolkit with some precautions and tips. Here are some tips on how to refresh your password hygiene.

Perform a Personal Password Audit

You can’t always prevent hackers from accessing your credentials via data breaches. Keeping an eye on your accounts is the best way to know if your accounts are at risk.

Many password managers include Dark Web monitoring or a built-in password health monitoring tool that can alert you when your credentials appear in a data breach list. These monitoring tools can also detect passwords that have been compromised in the past, reused, or weak character combinations. PCMag Editors’ Choice winner Keeper offers a service called BreachWatch for corporate users; it searches data breaches on the dark web for passwords used by anyone in the company and prompts users to change any compromised ones. For personal password manager accounts, Keeper offers a Security Audit section where you can evaluate your password health.

Don’t Save Passwords in Your Browser

All of the popular web browsers offer to save users’ passwords when they log in to websites. Don’t do it! Browsers are big malware targets. Also, if a stranger or anyone else uses your device, they can use your browser to log into your accounts without having to authenticate their identity. Instead of using your browser’s credential management tool, download a browser extension for your favorite password manager and use that to capture and create new passwords.

When to Change Your Password

How often does your company’s IT department require you to change the password on the computer or other device you use for work? If it’s every 60 to 90 days, that may be too soon. Old cybersecurity advice recommended frequent password changes, but not anymore. Experts now agree that using a long, strong, and unique password generated and stored in a password manager is preferable to frequently changing a password.

The best reason to change a password is if you think it’s been stolen. Otherwise, changing your passwords too often may lead you to use simple passwords that are easier to memorize, or you may be tempted to save the passwords in your browser. Unless the unthinkable happens and a password management company suffers a significant breach affecting its customer records, your passwords are unlikely to be at risk when stored in a password manager’s vault.

Password management company Dashlane put together a great post on protecting your passwords and why you should be careful with your credentials. I’ve also compiled a list of some situations where updating your password is an intelligent cybersecurity action:

Post-Security Breach

As soon as you get the dreaded security breach alert from the affected service or website, change the password associated with that account.

After Discovering You’ve Opened Malware or You’ve Been Phished

Changing your passwords may not mitigate all the damage from malware or a successful phishing expedition. Still, it can keep future attackers or scammers from accessing your accounts or impersonating you further. Use a different device from the affected one to change your account password.

It’s also a good idea to keep the antivirus updated on your device and pay attention to the links you’re clicking to prevent damage in the future.

When Someone Attempts to Access Your Account

Nothing gets the heart pumping like a late-night SMS unauthorized-account-access alert! After you log in to your account to make sure no one has stolen anything or made changes, update your password. Take another 15 seconds to turn on multi-factor authentication for the account, too.

When Another Account Gets Hacked

If you’re using the same email and password combination for your online accounts (please don’t!), assume that when one gets hacked, they’re all vulnerable. Change the passwords for all accounts possessing the same credential combinations, and generate unique passwords for every site. Even if an account isn’t hacked, if you realize you have the same password for more than one account, change one—or better, both.

After Sharing a Password

Many password managers, particularly those marketed to businesses, allow easy credential sharing between contacts. Many password managers allow you to specify how long you want to share the credential, but others require you to turn off sharing manually. Remember to withdraw access after the coworker, family member, or friend uses the password. If you’re worried about the account’s security after sharing the credential with someone, change the password.

Originally published at https://www.pcmag.com.