For years, the conventional data security wisdom has been to change all your passwords every three months. Or sometimes you would hear six months. At least once a year, they would tell you.
But is this necessary in every case?
The short answer is: it depends.
If you know or suspect a password has been compromised (examples: a major data breach has happened, or you fell victim to a phishing scheme), log in to the affected site immediately and change your password.
If you have been using a weak password (a single word, or a word-plus-a-number, or “password” or “abc123”), go change that immediately because that type of password is far too easy to crack. You don’t have to change your password to a string of gibberish (like “iu3r54!#hr3uHCE&@Eibi84f87*^CE” or whatever), but make them long. A long password constructed from random words, such as “vinestumpaxelclownboat,” is more secure than a short one made of uppercase and lowercase letters, digits and special characters, like “hJe4j#x.”
If you’ve been reusing one password for multiple accounts, go ahead and change those. When a database is compromised, cybercriminals will try the hacked email/password combinations at other sites. Example: you’re a member of some online discussion forum you’re not too serious about. If that database gets hacked (or simply downloaded…plenty of websites have been revealed to be keeping member login information in plain text) you can be sure that the people who did it aren’t interested in disrupting discussions about methods for making D.I.Y. tofu (or whatever your hobby is). They’re going to try that email/password at every major credit card, bank, retailer, and social network app. If you’ve reused it anywhere important, nothing good will come of it.
But what if you’re already using a strong password, there hasn’t been a data breach or a hack, and you haven’t fallen victim to phishing or any other tricks? The current advice is to just let that password ride. If it’s impossible for a human to guess and would take a computer script a trillion years to crack, changing it every three or six or twelve months doesn’t really do anything to provide any additional protection.
Of course, you can change any password any time if it helps you feel safer, but make sure to keep them strong, and don’t get into the habit of just changing one digit at the end (changing “vinestumpaxelclownboat1” to “vinestumpaxelclownboat2” for example); this could make your new password guessable if thieves obtained an old database and figured out your pattern.