I create 10 character passwords of letters upper and lower case with a few numbers. How can you decide when its time to change a password. If someone starts trying to crack your password 5 minutes after you create it, then you should have changed it already. But if no one tries to crack it for 5 years, should you change it?
Same as others have said, I create strong passwords (20 characters, upper & lower alpha and numbers), unique for each site, and don't need to change them.
Clients Network Security changes them every 3 months. I am not going to do that here. Strong password is good enough. If you think someone drop in on to one of your boxes you can always unplug the network cable.
I differentiate between passwords for encrypted data that requires physical access (e.g. TrueCrypt) and online passwords. The odds that someone could steal my TrueCrypt password AND gain physical access to be able to use them are somewhere between slim and zero (closer to zero). Even if my passwords to my on-site data were stolen (e.g. keylogger), that stolen information would likely be lost with the passage of time before it ever becomes a risk. People who steal data with keyloggers want an instant and easy payoff (e.g. online banking, credit cards, etc.). As far as online passwords, I'm less inclined to care about that than my local computer passwords. In all cases I use strong passwords that can't be guessed. So, the only way to get them is to steal them. If someone steals my bank account passwords, paypal password, etc., I'm likely to just shrug, call my bank to dispute the charges, and move on. The fact is, you would have to change your password between the time it's stolen and someone decides to use it. My guess is that would be a narrow window. So, the answer is never for both cases.
In most cases I do not change my passwords. For important sites I use the max length allowed up to 20 characters. Less important sites normally 8 character passwords. For some sights I've used the same password for over 9 years. If there was an option for as required, I would have picked that. Several services I use require frequent password changes.
I use Lastpass and generate 20 character long passwords with random characters so I dont have to remember them once a year maybe, if I feel for it for some sites, I change them. Maybe I should do it more often since it is so easy when I dont have to remember them.
As Ronjor said, a few of mine require a 90 day change. So I just change them all every 90 days. Strong passwords with mixed case, numbers, and special characters (when allowed by site).
I only change passwords when needed. One of my current password is 36 Letters, Numbers, Special char's, tho Not many programs or sites allow them to be this long. I have passwords for things that mean nothing and 3 different passwords for things that do. The strength of the password depends on what its being used for.
Only @ work every three months because we're forced to, otherwise never. Mine are typically 8-10 characters, mixture of lower & upper case, at least one number, no words found in the dictionary. Good enough for me, as I'm not the government or CIS.
There is something ironic in individuals telling the entire world how often they change their important passwords, on a site dedicated to computer security.
You think that's strange. Here's the password I use for all my financial institutions: 89eJ8RQI00a8sjrhue Now, the reason I feel this is safe, even though I never change my passwords, is because you people don't know who I am. And you don't know which financial institutions I use. Good luck using it.
I voted once every six months but it's more like once a year, because I think they are pretty secure.