If you’ve ever watched your team update their password to Winter2026! (and then Spring2026! 90 days later), you already know the problem: forced password changes create predictable behavior.
The reality is simpler — and a lot more effective.
Modern guidance says you shouldn’t require routine password changes unless there’s a reason to believe the password is compromised.
So what should you do instead? Let’s break it down in plain language.
How often should you change passwords?
Most of the time: you shouldn’t change them on a schedule.
For years, the default advice was “change your password every 60–90 days.” But that guidance has shifted. The FTC has pointed out that frequent forced changes often lead people to pick weaker passwords and make predictable edits that attackers can guess — so unless there’s reason to believe a password was compromised or shared, routine password changes can do more harm than good. Federal policy has moved the same direction: the White House’s OMB zero trust memo states that password policies must not require “regular rotation,” and CISA’s cloud security baselines reflect that by recommending user passwords not expire by default.
Bottom line: It’s not “how often” — it’s “why.”
When you should change a password immediately
You do want fast, decisive changes when there’s risk. Here are the triggers we recommend:
1) A breach or compromise is suspected (or confirmed).
If a service tells you your account data was exposed — or your identity provider flags suspicious sign-ins — change the password right away. NIST calls for forced changes when there’s evidence the authenticator is compromised.
2) The password was reused anywhere else.
Re-use is what turns “one breach” into “multiple account takeovers.” Microsoft’s guidance is direct: keep passwords unique and don’t reuse work passwords elsewhere.
3) A user clicked a phishing link and entered credentials.
Even if MFA stopped the login, assume the password is burned. Rotate it, review sign-in logs, and tighten phishing-resistant protections (more on that below).
4) Shared credentials or employee transitions.
If a password was shared (or could have been), treat it like it’s compromised. This comes up constantly with vendor portals, old “admin” accounts, and legacy processes.
What to do instead of forced password rotation
If you want fewer breaches and fewer fire drills, focus on controls that actually reduce account takeover.
Use long passwords (or passphrases)
Length beats complexity games.
-
NIST’s current guidance sets minimum length at 15 characters for passwords used as a single factor, and specifically says not to impose arbitrary “must include symbols/uppercase” composition rules.
-
CISA’s public guidance pushes the same direction: long, random, and unique, and highlights passphrases made of unrelated words as a practical option.
-
Microsoft recommends a longer minimum (they cite 14 characters as a practical baseline) and explains why frequent change requirements backfire in real human behavior.
Use a password manager
If you want unique passwords everywhere, you need a tool that makes it easy.
CISA explicitly recommends using a password manager so you only have to remember one strong password (the vault) while the manager generates and stores the rest.
Turn on MFA — and prioritize phishing-resistant MFA
Any MFA is better than passwords alone, but not all MFA is equal.
Federal guidance is increasingly clear that you should move toward phishing-resistant authentication (methods designed to prevent credential theft even when users get tricked). The playbook calls out modern options like FIDO2/WebAuthn and strongly encourages passwordless approaches where possible.
Adopt passkeys where your apps support them
Passkeys are becoming the cleanest path away from password-driven risk.
The FIDO Alliance describes passkeys as phishing-resistant by design — there’s no password to steal, and they’re built to reduce phishing and credential stuffing attacks.
Block weak and breached passwords
This is a big one — and it’s often missed.
NIST explicitly requires screening new passwords against blocklists of commonly used, expected, or compromised passwords and rejecting them.
A practical password policy we recommend for most SMBs
If you want something you can actually implement without turning your help desk into a reset factory, this is a strong baseline:
-
No routine password expiration for standard users (rotate on compromise).
-
Long passwords/passphrases and no “complexity theater.”
-
Password manager for the whole team.
-
MFA everywhere, with a plan to move high-risk apps and admins to phishing-resistant MFA.
-
Breached-password screening and smart lockout/rate limiting.
This approach is simpler for humans — and harder for attackers.
Why the right approach (and partner) matters
We see this all the time: leadership wants “better security,” but the day-to-day experience turns into friction, workarounds, and shadow IT.
Our job is to keep security simple, secure, and scalable — so your team can move faster without taking on unnecessary risk.
And because we’re a SOC 2 Type 2 audited MSP/MSSP, our internal controls and processes are built to stand up to scrutiny — not just good intentions.
What that means for you:
-
Clearer risk decisions (not vague “best practices”)
-
More defensible security posture for stakeholders, insurers, and customers
-
Less disruption from policies that look good on paper but fail in real life
Don’t chase “password change frequency.” Reduce account takeover risk.
If you take one thing from this: stop focusing on password rotation schedules and start focusing on controls that prevent compromise in the first place.
If you want help tightening your password policy, MFA, and identity security without slowing the business down, talk with us. IT should drive you forward. We’ll make sure it does.