If you’re still forcing your team to change passwords every 90 days, you’re not just wasting everyone’s time — you’re weakening your security. That might sound like heresy after two decades of IT policies built around mandatory password rotation, but the latest NIST guidelines are unambiguous: the 90-day rule is dead, and it needed to be.

The 2024–2026 updates to NIST Special Publication 800-63B represent one of the most significant shifts in password policy since the early 2000s. For small and medium business owners who inherited their password policies from a bygone era, this guide explains what changed, why it matters, and — most importantly — how often you should actually change your password in 2026.

The Old Rule: Where “Change Every 90 Days” Came From

To understand why NIST reversed course, we need to look at how the 90-day rule became gospel in the first place. The origin story is surprisingly unglamorous.

In 2003, Bill Gates sent an internal memo at Microsoft advocating for regular password changes as a security best practice. Shortly after, the original NIST 800-63 guidance codified the 90-day rotation as a recommended standard. PCI DSS followed suit, insurers began requiring it for cyber liability coverage, and soon “change your password every 90 days” was baked into virtually every corporate security policy on the planet.

For nearly two decades, it was accepted without question. The logic seemed sound: if a password was compromised, regularly rotating it would limit the window of exposure. In theory, that made sense. In practice, it created a security disaster.

What NIST Actually Says Now (2024–2026)

The most recent iterations of NIST SP 800-63B take a radically different stance. Section 5.1.1 now contains a directive that has reshaped enterprise security policies worldwide:

Let that sink in. The organisation that originally popularised the 90-day rule now explicitly advises against it. The “SHOULD NOT” language is deliberately strong — in NIST terminology, it means the recommendation should only be ignored with compelling justification.

Why Did NIST Change Its Mind?

The reversal wasn’t arbitrary. It was driven by a growing body of research showing that forced password rotation actively damages security. The most influential study came from Microsoft Research in 2019, which analysed millions of password changes across their Azure Active Directory and consumer accounts. The findings were damning:

• Users choose predictable patterns. When forced to change passwords, users almost always make minimal modifications. “Spring2025!” becomes “Summer2025!” or “Spring2025!1!”. These incremental changes are trivial for modern password-guessing algorithms to predict.
• Passwords get weaker, not stronger. The study found that users subject to frequent rotation requirements were more likely to choose weaker base passwords because they knew they’d have to remember a new one in a few months.
• Credential stuffing is unaffected. Mandatory rotation does nothing to stop automated credential-stuffing attacks. If a password is compromised in a data breach, it stays compromised until the user changes it — but forcing everyone to change passwords every 90 days doesn’t help the specific users who need to change today.

The Verizon 2024 Data Breach Investigations Report reinforces this finding: roughly 86% of web application breaches involve stolen or weak credentials, and arbitrary password rotation does nothing to address the root cause. Breaches happen because passwords are reused, guessed, or phished — not because they were set six months ago.

When You Should Actually Change Your Password

So if arbitrary rotation is out, what triggers an actual password change? NIST’s guidance is refreshingly clear: change your password only when there is specific evidence of compromise. Here are the scenarios that warrant an immediate password change:

After a Data Breach

If a service you use has been breached, and your password may have been exposed, change it immediately — even if the service hasn’t notified you yet. Use tools like Have I Been Pwned to check whether your credentials appear in known breach databases. If they do, every account sharing that password is at risk.

After a Credential Stuffing Attack

If you receive unusual login alerts, see failed login attempts from unfamiliar locations, or notice suspicious activity on your accounts, a credential-stuffing attack may be in progress. Change your passwords and enable multi-factor authentication immediately.

After Sharing Your Password

Every time you share a password — with a vendor, a colleague, a contractor — you expand the attack surface. Once the shared access is no longer needed, change the password. This is especially important for shared business accounts like social media profiles, payment platforms, and admin panels.

After a Device Compromise

Infostealer malware — which silently harvests saved passwords from browsers and password managers — is on the rise. If you suspect a device has been compromised, change every password that was saved on that device. This is one of the few scenarios where a wholesale password reset is justified.

How to Tell If Your Password Has Been Compromised

The old approach to compromise detection was waiting for a breach notification email — usually weeks or months after the event. In 2026, you have better options:

Breach Databases

Have I Been Pwned (HIBP) remains the gold standard for checking whether your email address or phone number appears in known breaches. Firefox Monitor offers similar functionality built directly into the browser. Both are free and should be checked regularly by any business owner.

Dark Web Monitoring

Premium services like NordPass include dark web monitoring that continuously scans for your credentials appearing in illicit marketplaces, forums, and paste sites. If your business email or domain starts showing up in data dumps, you’ll know within hours rather than months. This is the kind of proactive monitoring that replaces the outdated “just change it every quarter” approach.

Unusual Login Alerts

Modern platforms send alerts for logins from new devices, new locations, or unusual times. If you receive an unexpected login notification, treat it as a potential compromise and change that password immediately.

Real Password Security That Actually Works

If arbitrary password rotation is off the table, what replaces it? The answer is a layered approach that addresses the actual causes of credential-based breaches rather than performing security theatre every quarter.

1. Unique Passwords for Every Service

Password reuse is the single biggest risk to your business. If you use the same password for your email, your banking, and your project management tool, a breach at any one service compromises all three. Every account needs its own unique, randomly generated password.

The easiest way to achieve this is with a password generator — try StrongPassFactory’s free password generator to create cryptographically random passwords on demand. Each password should be at least 16 characters, mixing uppercase, lowercase, numbers, and symbols.

2. Use a Password Manager

You cannot realistically maintain unique, complex passwords for dozens of accounts without a password manager. Services like NordPass store your credentials in an encrypted vault, auto-fill them across devices, and generate strong passwords for you. NordPass also includes breach monitoring, passkey support, and secure sharing features that make it an excellent choice for small business teams.

3. Enable Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) is your strongest defence against credential theft. Even if a password is compromised, MFA blocks the attacker’s access. Prioritise MFA on email, financial accounts, admin panels, and any service that stores customer data. App-based authenticators (like Google Authenticator or Authy) are more secure than SMS-based codes, which are vulnerable to SIM-swapping attacks.

4. Use Passkeys Where Available

Passkeys represent the next evolution of authentication. They’re phishing-resistant, device-bound cryptographic credentials that eliminate passwords entirely. Google, Apple, and Microsoft have all adopted passkey standards, and support is growing rapidly across major platforms. Where passkeys are available, use them — they’re more secure and significantly easier to manage than traditional passwords.

Frequently Asked Questions

How often should you change your password in 2026?

Only when there is evidence of compromise, or when you voluntarily request a change. There is no blanket timeframe. Current NIST guidelines explicitly advise against arbitrary periodic changes.

Does the “change every 90 days” rule still apply anywhere?

Some legacy compliance frameworks (older PCI DSS versions, certain insurance policies) still mandate periodic rotation. However, the trend is shifting — PCI DSS v4.0 has begun relaxing these requirements, and most modern insurers accept NIST-aligned policies. Always check with your specific compliance requirements, but know that the security consensus has moved decisively away from mandatory rotation.

What do the NIST password guidelines 2026 actually say?

NIST SP 800-63B Section 5.1.1 states that verifiers should not require arbitrary periodic password changes. Instead, passwords should only be changed upon evidence of compromise or user request. The full guidance also recommends checking new passwords against known breached password lists (like HIBP’s Pwned Passwords dataset) and allowing passwords of at least 64 characters.

Won’t passwords get stale if I never change them?

Not if they’re unique, randomly generated, and protected by MFA. The risk of a password being “stale” was always about the possibility of undetected compromise. With breach monitoring, MFA, and passkeys, you catch compromises in real time rather than hoping a quarterly change happens to coincide with a breach.

How do I know if my business passwords have been compromised?

Use Have I Been Pwned to check email addresses associated with your business. Consider a password manager with dark web monitoring, like NordPass. Enable login alerts from your major service providers. And train your team to recognise the signs of credential-stuffing attacks.

What if a staff member leaves the company?

This is a legitimate reason for a password change. When an employee departs, any shared credentials they had access to should be rotated. But this is an event-driven change, not an arbitrary one — exactly the kind of scenario NIST’s guidance supports.

Should I change my password manager’s master password regularly?

Not unless you have reason to believe it’s been compromised. A strong, unique master password — ideally a passphrase of four or more random words — combined with MFA on your password manager is sufficient. Changing it arbitrarily introduces the risk of forgetting it, which could lock you out of your entire credential vault.

---

The message from NIST, backed by years of empirical research, is clear: the era of mandatory password rotation is over. If you’re still asking “how often should you change your password” and expecting a number in return, you’re asking the wrong question. The right question is “how do I know when my password has been compromised?” — and that answer lies in breach monitoring, MFA, a password manager, and a proper password generator.