The Holiday With Outdated Advice
Every February 1st, Change Your Password Day rolls around with the same message: change all your passwords. Here's the twist, modern security guidance (including NIST) actually says don't rotate passwords on a schedule. Forced periodic changes push people toward weak patterns (Password1, Password2, Password3) and change nothing about the passwords that are actually at risk. So let's keep the useful part of the day, an annual security checkup, and replace the outdated ritual with what genuinely helps.
Why Blanket Password Changes Are Outdated
Changing a strong, unique password that hasn't been breached accomplishes nothing except annoyance, and it nudges you toward memorable (weak) variations. Passwords should change for a reason: a breach, a suspected compromise, or reuse you're fixing, not because a date arrived. What actually protects you is different, so here's the annual checklist worth doing instead.
The Smart Annual Checkup (20 Minutes)
1. Check Your Breach Exposure
Visit haveibeenpwned.com and enter your email. See which breaches you're in. For any breached site, make sure that password is no longer used anywhere, this is the change that matters, targeting actually-exposed passwords rather than all of them (our breach response guide).
2. Fix Reused and Weak Passwords
Your password manager (or browser) can flag reused and weak passwords. Rotate those, the ones at real risk, to unique strong ones (our generator). This is targeted and effective, unlike changing everything. Check strength with our strength tester.
3. Verify 2FA Is On Where It Matters
Confirm two-factor authentication is active on email, banking, social, and anything holding money or identity. New accounts accumulate over a year; catch the ones missing 2FA (our 2FA guide). This does more for your security than any password change.
4. Check Your Backup Codes
Do you still have backup codes for your important accounts, and do you know where they are? Regenerate and re-store any you've lost track of (our storage guide). A year is long enough to have lost or used some.
5. Review Account Access and Sessions
- Revoke old connected apps and OAuth grants you no longer use (our OAuth guide).
- Log out unfamiliar sessions on major accounts.
- Confirm recovery email and phone are current on key accounts (our recovery email guide).
6. Upgrade One Thing
Each year, upgrade one account to something stronger: move a critical account from SMS to app-based 2FA, or from a password to a passkey, or add a hardware key to your email. Incremental, sustainable improvement.
The best version of Change Your Password Day changes almost no passwords. It fixes the breached ones, confirms your 2FA, and upgrades one account. That's a real security improvement, not security theater.
When You SHOULD Change a Password
- It appeared in a breach (haveibeenpwned flags it).
- You reused it somewhere and are fixing that.
- You suspect it was seen, phished, or entered on a fake site.
- It's weak or old-and-guessable and you're upgrading it.
- A shared password after access should end (a breakup, an ex-employee).
Outside these reasons, a strong unique password can happily stay put.
Frequently Asked Questions
Wait, I've always been told to change passwords regularly. That's wrong?
The guidance changed. Research showed forced rotation produces weaker passwords (predictable variations) without security benefit, so NIST and others now recommend changing passwords only when there's a reason. Strong, unique, unbreached passwords should be left alone. It's one of the bigger reversals in mainstream security advice.
So I never change my passwords?
You change them for cause: breaches, reuse, suspected compromise, or upgrades. What you stop doing is the calendar-driven blanket change that leads to Password1 becoming Password2. Targeted changes, not scheduled ones.
What's the highest-impact thing on this checklist?
Confirming 2FA is on everywhere important, and fixing any breached/reused passwords. Those two address the attacks that actually happen (credential stuffing and account takeover). A password manager makes both easy to maintain year-round.
How long should this checkup take?
About 20 minutes if you use a password manager (which surfaces reused/weak passwords instantly) and do it annually. First time may take longer as you clean up accumulated issues; subsequent years are quick maintenance.
Can I automate any of this?
Partly: password managers continuously flag weak, reused, and breached passwords, and breach-notification services email you when new leaks include your data. Set those up once and much of the "checkup" happens passively, leaving the annual review as a quick confirmation rather than an investigation.