background image


How Often Should Passwords Be Changed?


How often should passwords be changed?

In honor of world "More Than A Password Day,” which was recently announced by Nonprofit Cyber, we wanted to dedicate a blog to their mission of encouraging stronger online security for individuals and organizations alike...and that includes answering one of the web's most-asked questions.

Let's get started:

Why Passwords Are Not Secure

Firstly, why are passwords not secure? Why is there so much talk surrounding how, when, and why to change them?

Passwords have three core pitfalls:

  • They can be guessed

  • They can be stolen

  • They can be broken into

One reason for this is that a staggering 62% of professionals use the same password for more than one service; this means that, if one account is hacked, all others are now at significant risk. Other cyber hygiene habits that put passwords at particular risk include, but aren't limited to:

  • People sharing passwords over insecure networks

  • Threat actors having the ability to brute-force or guess "weak" passwords

  • Public Wi-Fi being a common way of hackers gaining access to passwords

  • The prevalence of phishing emails and fake websites that utilize social engineering and other tactics to glean passwords

  • Keylogging software that can steal passwords

The concept of a password was invented in the 90s, and the premise of passwords is simply something complex that we must memorize.

The Dangers of Periodic Password Changes

When it comes to how often passwords should be changed, the answer is typically: "Frequently."

However, that is misleading. As we detail in our blog counterpart, "Periodic Password Changes", the NIST does not suggest frequently changing passwords; instead, they recommend enforcing what's known as a password list.

Also known as a password deny listbanned password list, or password dictionary, such a list contains password values known to be commonly used or compromised. Organizations can use this list to block weak, insecure, and vulnerable passwords and their variants from being used by employees.

The NIST recommends adding all of the below to your organization's banned password list:

  • Dictionary words

  • Repetitive characters (e.g. 999)

  • Sequential characters (e.g. 1234 or abcd)

  • Context-specific words (e.g. username)

  • Passwords from previous breaches

With password lists like Azure AD Password Protection, security teams can create a custom banned password list to block organization-specific weak terms that may lead to a compromise of their networks or systems.

The Importance of Knowing How Often Passwords Should Be Changed (or Fortified)

World "More Than A Password Day” strives to do more than just raise knowledge about the cyber risk associated with poor password habits; it strives to kickstart action across organizations. Rather than simply asking, "How often should passwords be changed?", cybersecurity firms around the world want to shift the conversation to: "What can my organization do to fortify our passwords?"

With a staggering 80% of data leaks in 2023 alone caused by weak or lost passwords, the need for strong passwords has never been more dire. This is backed by:

  • Only 17% of small businesses globally having cyber insurance, with 48% not purchasing it until after their first cyberattack

  • 62% of SMBs reporting that they store customer data that an attack could compromise

  • The average organization taking 286 days to identify and contain a breach

  • 82% of data breaches containing a human element

  • There being 75x more phishing sites than malware sites in 2023

  • CEOS being targeted 57x year on average by social engineering threats

  • “Cybersecurity fatigue” impacting a reported 42% of organizations

  • Every 39 seconds, a threat actor targeting a business’s cybersecurity infrastructure 

Nonprofit Cyber has put out their guide, "Protecting Your Accounts and Devices: Common Guidance on Passwords", as part of the first world "More Than A Password Day” rollout. Over 90 organizations from around the globe, including CREST and others that are part of the Nonprofit Cyber alliance, have endorsed this advice.

5 Ways to Strengthen Your Passwords

Lastly, here are the top five ways we here at Packetlabs recommend you fortify your existing password protocols:

  • Use Password-Free Authentication: We advise opting for passwordless authentication, such as passkeys. Passkeys are not only more straightforward to use, but also more secure than traditional passwords

  • Secure Your Email Account: If employees are using password authentication for email accounts, follow the best practices for passwords and enable multi-factor authentication

  • Add an Extra Layer of Security: Employ a hardware security key, authenticator app, or PIN via SMS as a “second factor” in addition to your password

  • Use a Password Manager: A password manager can help you create and store strong passwords for all your online accounts, especially for teams that work remotely

  • Change Passwords in the Wake of a Data Breach: Promptly change passwords if your devices are compromised or an online service you use is hacked. Avoid reusing passwords

When in doubt, we recommend basing your password policies off of the math behind what makes a strong master password.


When it comes to the question of, "How often should passwords be changed?" we're grateful to Nonprofit Cyber for launching #WorldPasswordDay and shining a spotlight on this commonly-misunderstood topic.

However, fortifying passwords is most effectively paired with other cybersecurity efforts. Here at Packetlabs, we execute these via a variety of potential methods:

  • DevSecOps: DevSecOps is integrated early in your development cycle and acts as an extension of your development team to flag vulnerabilities within your existing detected management systems

  • Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization

  • Purple Teaming: Purple Teaming is our collaborative testing exercise where the Packetlabs red team works with your internal security operations team (or blue team) to bridge the gap between offensive techniques and response efforts

  • Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of your cybersecurity strategy. As the first step in strengthening your security posture, this assessment generates the roadmap to strengthen your overall security program

  • Compromise Assessments: A Compromise Assessment uncovers past or present threats like zero-day malware, trojans, ransomware, and other anomalies that may go unnoticed in standard automated vulnerability scans

  • OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing

  • Ransomware Penetration Testing: A ransomware penetration test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack

  • Cloud Penetration Testing: Multiple perspectives help with strengthening your security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle

  • Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that you can discover gaps and vulnerabilities unique to your organization and test your ability to detect and respond to threat actor

  • Application Security Testing: More targeted in scope than a regular pentest, application security testing uncovers vulnerabilities residing in your web and mobile apps. Application Security Testing actively explores your application from an attacker’s perspective

  • Infrastructure Penetration Testing: An infrastructure penetration testing assessment uncovers vulnerabilities in your IT and network systems and provides a tailored approach to each environment

These are in addition to the Packetlabs Portal, which lets you quickly view findings, prioritize efforts, request retests after remediation, and monitor progress.

Looking to take the next step in strengthening your organization's security posture, or seeking further cybersecurity-related consulting? Reach out to our team today for your free, zero-obligation quote.

Download our Free Buyer's Guide

Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial.

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.