Never change your password ? Not sure I would agree to Glenn

I am referring to this article from Glenn, it is a good topic to have a heathy debate.

My personal view is that changing the password regularly has overall benefits and I cannot see any harm in doing so, provided that one is using a good system or password manager to manage it.

1 Like

Disagree. If you have a secure, unique password, there’s no point in changing it, and it’s a waste of time.

Unless you can offer something more concrete than “overall benefits” I’d say that’s a pretty weak argument, and “Well, there’s no harm…” isn’t much stronger. There’s no harm in singing the national anthem every time you go to the bathroom, but I won’t be doing that either :slight_smile:

If nothing else, it takes time and attention away from other things you could be doing, or simply idly enjoying life rather than doing something that doesn’t need to be done.

Now I’ll be going back to sorting my ice cubes by density.



Which benefits?

(I can’t think of any)

I agree 100% with TJ. The only sane reason to changing a sufficiently-secure, unique password is to deal with a compromise, or if you believe that a given system is both sufficiently insecure and sufficiently important to you that you feel the need to make your password a “moving target”.

1Password will alert you to reported compromises. And ideally if a critical provider like your bank requires that you use a horribly-insecure password, you’d find a different bank. :slight_smile:

I knew a guy back in the day who used KeePassX (similar to 1Password for those who aren’t familiar) and bragged about how he manually changed a couple hundred passwords every month.

I have no idea why somebody would do that. Figure out how secure you can make your password, do that, and then leave it alone. There are so many better ways to spend your time.

TJ, ever consider getting a 3D scanner and a scale so that you can create a shortcut to automatically calculate the density of each cube? It makes sorting those ice cubes so much easier. :smiley:


I take the assumption if my password is hacked (especially one day quantum computing is feasible at commercial level) then I can change and increase the strength of my password

how many times in history that we were only told about the breaches many weeks or even months after the incidents

1 Like

not related to changing password debate , at least this incident was made known very quickly

the latest incident regarding Nvidia, 71000 employees creditantials were leaked

I do not think this is a good anology as the benefit versus effort equation is very different

1 Like

Except they weren’t. Hashes were leaked, which isn’t at all the same thing. A sufficiently-strong password stored someplace like 1Password will be largely immune to a hash attack, unless they want to throw the proverbial “kitchen sink” at your password. And that would be ONE password, not 71,000.

This is really the core of the discussion.

There are three primary ways for a hacker to compromise your password.

The first is for the password to be stored in cleartext somewhere. Banks, credit card companies, etc. aren’t doing that.

The second is for them to run brute-forcing against a hashset. Brute-forcing yields COMMON passwords in real-time, not 50-character 1Password passwords that use uppercase/lowercase letters, numbers, and symbols.

The third is for them to hack the code of the site / organization such that they capture passwords as they’re being entered.

In the first “cleartext” scenario, the breach is inevitable, and will be limited to one site as long as you’re using unique passwords. Employees at the site can already steal your freshly-changed password whenever they feel like it.

In the second scenario, the likelihood of your password being compromised is pretty much zero. Nobody is putting in that much effort for your password, and again - that’s all that effort for YOUR password. Not for a list of 70,000 passwords.

In the third scenario, your password is compromised as soon as it’s changed, no matter how often you change it.

In light of the above considerations, I don’t see that this is even relevant. If hackers got your password, and it was a huge 1Password randomized monstrosity, that means that you’re dealing with scenario #1 or #3. In other words, either they’re using cleartext or their whole codebase is compromised. In either case, you shouldn’t use that company for anything that requires true security.

Changing your password on a regular basis really yields no significant benefit.


I suspect a great deal of breaches are due to passwords being guessed, not hacked. If not that, then using easily guessed or googled information as an answer to a security question. As I recall that’s how one famous heiress’s private bits ended up on the 'net.

Neither should happen to a MPU that uses long complex passwords. :wink:


Or phished.   


I don’t think it’s a bad thing to change certain passwords once in a while, even if you haven’t gotten notice of a hack. That said, I currently have 1,279 items in 1Password. I will not be changing all of those on the regular.

I am angry at my university for making me change it once every couple of months when my bank and my Government of Canada ID doesn’t require anything close to that…


Or reused. If passwords on one site get compromised then hackers are going to try them everywhere else they can.

1 Like

Or you could just use the strongest possible password supported by a given site to start with and save yourself the effort.

Nothing about your password generation is going to change enough to warrant regular changes. The real security is all handled server-side.

The only change that really makes sense cryptographically is if a site suddenly does something like switch from 8 characters maximum to supporting a much longer password. In that case, sure - generate a better password and call it good. :slight_smile:

Whether or not you should change your password regularly depends on how that password is used, what it’s being used to secure, what sorts of devices/systems it’s entered or used on, and how many entities apart from yourself handle or process it. There is no simple answer.


Not only do I have a few password which have to be changed every 90 days or so, but their system doesn’t even let me use a good, long, random 1Password password. They have a fairly short length allowed (why?!) and only allow a specific set of ‘special’ characters (WHY?).


If I have a secure password generated by the likes of 1Password and then I have 2FA for it, I normally don’t ever change those.

Just make sure you have 2FA and your mind will be at ease.

I don’t know what university you’re at but if it’s in Canada, there’s a good chance that I know the person who’s heading up information security there :slight_smile:

Every couple of months seems excessive. On the the other hand, I regularly get dumps of decrypted hashes of compromised accounts and the number of people who use (and reuse) really, really bad passwords is astounding (but not surprising). You’re almost certainly not a problem with respect to passwords, but in any given room at work, the ten people who are closest to you probably are :laughing:


More than likely it’s an interface to a mainframe backend. IBM’s RACF only allowed for 8 character passwords back in 2012. Doubt that it’s changed.

My access to the company’s retirement benefits site requires changing every 45 days. I only access it once or twice a year so it’s no big deal.

Why do we not want to do it? I’m not talking about all websites, but ones that are important, could be changed I guess. Sometime even good websites have been breached and they do recommend changing passwords right? I remember Dropbox was breached a few years ago. Recently Robinhood too. Even with unique password per site and 2FA (some websites use phone 2fa :expressionless: ), better to change it.

Sometimes websites don’t even know they were breached until a few weeks later lol. Also, some big tech companies were storing our password in plan text.