How often should passwords on computers be changed?

Changing passwords regularly is a crucial part of cybersecurity practices to protect sensitive information and systems from unauthorized access. Requiring password changes every 90 days strikes a balance between security and user convenience.

This time frame is recommended because it reduces the window of opportunity for attackers who may have acquired a password through various means, such as phishing or brute-force attacks. A 90-day cycle allows users to change their passwords sufficiently often to mitigate risks while giving them a reasonable amount of time to remember and manage new passwords.

More frequent changes, such as monthly, might lead to user fatigue and could result in weaker passwords as users may resort to simpler or easily guessable passwords to cope with the frequency of changes. Conversely, longer intervals like every six months or annually increase the risk of a password being compromised without being updated. Therefore, a 90-day change interval is generally considered optimal for maintaining robust account security.