For years, conventional wisdom — and many corporate IT policies — told us to change our passwords every 30, 60, or 90 days.
The idea was simple: if you rotate passwords often, an attacker has less time to use stolen credentials.
But times have changed, and so has the advice from leading cybersecurity bodies.
Both the Center for Internet Security (CIS) and the Australian Cyber Security Centre (ACSC) now recommend not forcing regular password changes — unless there is a specific reason to believe a password has been compromised.
Here’s why the guidance has shifted.
Frequent Changes Often Make Passwords Weaker
When people know they’ll have to change their password soon, they tend to take shortcuts:
- Making small, predictable tweaks (e.g., Password1→Password2).
- Recycling old passwords.
- Choosing shorter or simpler passwords to remember them easily.
These patterns make passwords easier for attackers to guess or crack.
Password Fatigue is a Real Problem
Constant password updates can frustrate users.
That frustration often leads to unsafe practices:
- Writing passwords down on sticky notes.
- Storing them in unsecured documents.
- Reusing the same password across different systems.
Instead of improving security, these habits actually make breaches more likely.
The Focus Has Shifted to Strong Passwords + MFA
Modern best practice is to:
- Use strong, unique passwords (or better yet, long passphrases).
- Store them in a secure password manager.
- Enable Multi-Factor Authentication (MFA) wherever possible.
Changing passwords should only happen:
- If there’s evidence of compromise.
- If the password has been exposed in a breach.
- If it’s been shared with someone who shouldn’t have access.
Today’s Attack Patterns Have Changed
Most password compromises today come from:
- Credential stuffing — attackers using credentials stolen from other sites.
- Phishing — tricking users into handing over credentials.
- Malware — logging keystrokes or stealing browser-stored passwords.
Routine password changes do little to defend against these attacks.
Instead, better security comes from monitoring for leaked credentials and having a rapid response process for suspected breaches.
Official Guidance
CIS Controls v8:
“Do not require password changes unless there is evidence of compromise. Frequent password changes can lead to predictable password patterns that reduce security.”
ACSC Essential Eight:
“Passwords should only be changed when there is a suspected or confirmed compromise, not on a fixed schedule.”
The Bottom Line
Both the CIS (CIS Controls v8) and the ACSC (Essential Eight) agree:
Only change passwords when there is a suspected or confirmed compromise.
That means stronger passwords, MFA, and good credential hygiene beat regular rotations every time.
Need help improving your organisation’s password policies?
White Rook Cyber can help you implement best practice authentication, MFA, and breach monitoring to keep your business secure without the hassle of unnecessary password changes.
