Do (uncompromised) passwords ever need changing, if I use a password manager?

Do you know that they are uncompromised? If you are absolutely sure, then there is no real need to change. Obviously if they are compromised, then go ahead and change. If you do not know, then it becomes more interesting.

That is the main purpose of changing your passwords, just in case they are compromised and that you are not yet aware of it. So the whole 90 day password change policy is usually a risk based compromise between how likely is your password compromised, and how annoying is it to change and re-remember (or in the case of a password manager, update and start using).


Of course similar to the question How does changing your password every 90 days increase security?

For my answer to that question go here.

To answer your question, reasons to change your password regularly would include:

  • If the entropy of your password allows it to be cracked since you last changed it as the attacker could have obtained a hash of your password unbeknownst to you. For a rough guide to cracking times, see here. For the average, divide the result by two. e.g. a password with 65 bits of entropy would take 1.7 years to crack on average. Of course remember that an attacker with enough time and resources to do this might be rare unless they are specifically interested in your account of which is very valuable to them, or that the passwords were stored unsalted.
  • If the password might have been accidentally leaked by you at any point (e.g. typing it into your computer with the cursor focused on another window).
  • Somebody may be monitoring your keypresses and have enough information to statistically determine your password (e.g. via a camera, the sounds that your keyboard makes, or by somehow determining wear and tear on your keyboard). Of course, these do not apply to passwords that are autofilled and never types.
  • If an attacker could have viewed your screen if your password was briefly displayed, allowing them to reduce the effective entropy as they would know any remembered characters at their positions.
  • The website has recently increased their bcrypt iterations or password algorithm and it requires a password change in order to update it in their database.