How often should you change your passwords?
Not on a schedule anymore: forced rotation every few months leads to weaker passwords and is outdated advice. Change a password immediately when there is a reason: a breach at the service, a phishing scare, or a shared password that should no longer be shared.
For years the rule was: rotate every ninety days. The result was predictable behavior: Summer2024 became Fall2024, and attackers knew it too. Modern security guidelines, including NIST's, have reversed course: a strong, unique password can stay until there is a reason to change it.
Those reasons are concrete: the service reports a breach, your password shows up in a leak scan, you once reused it elsewhere, or someone you shared it with should no longer have it. Then you change it immediately, just there, and check whether the same password was in use anywhere else.
A password manager makes this policy effortless: the vault reports in Bitwarden, 1Password, and Dashlane show exactly which passwords are weak, reused, or leaked. You rotate with purpose instead of ritual, and your energy goes to the passwords that actually need it.