NIST doesn’t recommend password rotation anymore, it’s not really a best practice.
Think about it, an attacker isn’t likely to log into your account with your password; brute-forcing it will take forever with the usual 5-attempt lockout; these hacks usually grab the whole database… SO if a company has a policy that “Every X days you must change your password, and it must not match your past Y previous passwords” the general response to that is to increment some part of it (e.g “Aligator1” becomes “Aligator2”.) This means that they must be storing your past Y passwords somewhere (hopefully correctly encrypted) but with so many similar passwords encrypted with the same method, that’s just created a larger vector for them to attack the encryption algorithm itself.
So. what’s the reasoning for rotating passwords? So that if your account is part of a data breach they won’t be able to access your other accounts? Hopefully, you’ve chosen a strong password, perhaps one you don’t know accessed through a password manager. Hopefully, these important sites/accounts require 2-factor authentication. Hopefully, you’re using a different password on each of these sites.
Assuming the DB would’ve eventually been breached by rotating passwords you’ve ultimately done nothing except for help researchers crack various crypto algorithms.
Long, randomized and managed by a password manager is the solution.
Change only if compromised or if the current password doesn’t match the previous definition.
If it is extremely important, use (or request) 2FA (don’t forget to back those QR/backup codes up in some way) and prefer app authenticators over SMS-based ones.
I was told that passwords should only be changed if they are known to be compromised.
But that ignores silent unknown hacks.
What is a good password rotation strategy?