I am referring to this article from Glenn, it is a good topic to have a heathy debate.
My personal view is that changing the password regularly has overall benefits and I cannot see any harm in doing so, provided that one is using a good system or password manager to manage it.
Disagree. If you have a secure, unique password, thereâs no point in changing it, and itâs a waste of time.
Unless you can offer something more concrete than âoverall benefitsâ Iâd say thatâs a pretty weak argument, and âWell, thereâs no harmâŚâ isnât much stronger. Thereâs no harm in singing the national anthem every time you go to the bathroom, but I wonât be doing that either 
If nothing else, it takes time and attention away from other things you could be doing, or simply idly enjoying life rather than doing something that doesnât need to be done.
Now Iâll be going back to sorting my ice cubes by density.
Which benefits?
(I canât think of any)
I agree 100% with TJ. The only sane reason to changing a sufficiently-secure, unique password is to deal with a compromise, or if you believe that a given system is both sufficiently insecure and sufficiently important to you that you feel the need to make your password a âmoving targetâ.
1Password will alert you to reported compromises. And ideally if a critical provider like your bank requires that you use a horribly-insecure password, youâd find a different bank.
I knew a guy back in the day who used KeePassX (similar to 1Password for those who arenât familiar) and bragged about how he manually changed a couple hundred passwords every month.
I have no idea why somebody would do that. Figure out how secure you can make your password, do that, and then leave it alone. There are so many better ways to spend your time.
TJ, ever consider getting a 3D scanner and a scale so that you can create a shortcut to automatically calculate the density of each cube? It makes sorting those ice cubes so much easier. 
I take the assumption if my password is hacked (especially one day quantum computing is feasible at commercial level) then I can change and increase the strength of my password
how many times in history that we were only told about the breaches many weeks or even months after the incidents
not related to changing password debate , at least this incident was made known very quickly
the latest incident regarding Nvidia, 71000 employees creditantials were leaked
I do not think this is a good anology as the benefit versus effort equation is very different
Except they werenât. Hashes were leaked, which isnât at all the same thing. A sufficiently-strong password stored someplace like 1Password will be largely immune to a hash attack, unless they want to throw the proverbial âkitchen sinkâ at your password. And that would be ONE password, not 71,000.
This is really the core of the discussion.
There are three primary ways for a hacker to compromise your password.
The first is for the password to be stored in cleartext somewhere. Banks, credit card companies, etc. arenât doing that.
The second is for them to run brute-forcing against a hashset. Brute-forcing yields COMMON passwords in real-time, not 50-character 1Password passwords that use uppercase/lowercase letters, numbers, and symbols.
The third is for them to hack the code of the site / organization such that they capture passwords as theyâre being entered.
In the first âcleartextâ scenario, the breach is inevitable, and will be limited to one site as long as youâre using unique passwords. Employees at the site can already steal your freshly-changed password whenever they feel like it.
In the second scenario, the likelihood of your password being compromised is pretty much zero. Nobody is putting in that much effort for your password, and again - thatâs all that effort for YOUR password. Not for a list of 70,000 passwords.
In the third scenario, your password is compromised as soon as itâs changed, no matter how often you change it.
In light of the above considerations, I donât see that this is even relevant. If hackers got your password, and it was a huge 1Password randomized monstrosity, that means that youâre dealing with scenario #1 or #3. In other words, either theyâre using cleartext or their whole codebase is compromised. In either case, you shouldnât use that company for anything that requires true security.
Changing your password on a regular basis really yields no significant benefit.
I suspect a great deal of breaches are due to passwords being guessed, not hacked. If not that, then using easily guessed or googled information as an answer to a security question. As I recall thatâs how one famous heiressâs private bits ended up on the 'net.
Neither should happen to a MPU that uses long complex passwords.
Or phished.
I donât think itâs a bad thing to change certain passwords once in a while, even if you havenât gotten notice of a hack. That said, I currently have 1,279 items in 1Password. I will not be changing all of those on the regular.
I am angry at my university for making me change it once every couple of months when my bank and my Government of Canada ID doesnât require anything close to thatâŚ
Or reused. If passwords on one site get compromised then hackers are going to try them everywhere else they can.
Or you could just use the strongest possible password supported by a given site to start with and save yourself the effort.
Nothing about your password generation is going to change enough to warrant regular changes. The real security is all handled server-side.
The only change that really makes sense cryptographically is if a site suddenly does something like switch from 8 characters maximum to supporting a much longer password. In that case, sure - generate a better password and call it good.
Whether or not you should change your password regularly depends on how that password is used, what itâs being used to secure, what sorts of devices/systems itâs entered or used on, and how many entities apart from yourself handle or process it. There is no simple answer.
Not only do I have a few password which have to be changed every 90 days or so, but their system doesnât even let me use a good, long, random 1Password password. They have a fairly short length allowed (why?!) and only allow a specific set of âspecialâ characters (WHY?).
If I have a secure password generated by the likes of 1Password and then I have 2FA for it, I normally donât ever change those.
Just make sure you have 2FA and your mind will be at ease.
I donât know what university youâre at but if itâs in Canada, thereâs a good chance that I know the person whoâs heading up information security there
Every couple of months seems excessive. On the the other hand, I regularly get dumps of decrypted hashes of compromised accounts and the number of people who use (and reuse) really, really bad passwords is astounding (but not surprising). Youâre almost certainly not a problem with respect to passwords, but in any given room at work, the ten people who are closest to you probably are 
More than likely itâs an interface to a mainframe backend. IBMâs RACF only allowed for 8 character passwords back in 2012. Doubt that itâs changed.
My access to the companyâs retirement benefits site requires changing every 45 days. I only access it once or twice a year so itâs no big deal.
Why do we not want to do it? Iâm not talking about all websites, but ones that are important, could be changed I guess. Sometime even good websites have been breached and they do recommend changing passwords right? I remember Dropbox was breached a few years ago. Recently Robinhood too. Even with unique password per site and 2FA (some websites use phone 2fa 
), better to change it.
Sometimes websites donât even know they were breached until a few weeks later lol. Also, some big tech companies were storing our password in plan text.