Member-only story
(If this article is too long for you, but you have a dangerous stalker in your life, please read the section, “your life may depend on this” near the end).
There are lots of cybersecurity writers and speakers advocating the idea that we no longer need to change passwords. Specifically, they’re promoting the idea that password rotation — changing your password on a schedule, like every 30 or 90 days — is pointless. They even say that it weakens security, because people hate it so much that they use weak passwords, or only change the number at the end, and so forth.
“The password is dead!”
The first problem with a blanket statement like “the password is dead” is that there are still many systems that rely solely on the password for security. And there’s a second problem: even with two-factor authentication (2FA), there are a lot of systems using weak 2FA, where the password is still critical. For example, consider a situation where the second factor is a one-time code sent to your email. If you use the same password for your email and your online account, not changing the password leaves you vulnerable. The “extra security” of 2FA is illusory.
Here are a few examples of reasons to change your password regularly.