How Often Should I Change my Passwords
In the new NIST guidelines (US National Institute of Standards and Technology), there are now some rather surprising reversals of guidance on several areas of password management. According to this article from Sophos' Naked Security blog, automatic or periodic password aging is no longer recommended by the new guidelines; rather, the article says:
The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.
The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords:
8.2.4 Change user passwords/passphrases at least once every 90 days.
This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security.
NIST Special Publication 800-63b: Digital Authentication Guidelines
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
NCSC official guidance:
The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation.
The problem is not with keeping passwords for a long time, but rather the weaknesses introduced when creating new ones. So, if you are using a randomised method of password generation, you could gain benefit from refreshing passwords periodically.
But there are no official guidelines on how often that should be when you create maximally complex passwords because the risks are just too low. When you add in 2FA, then the risks are lower still.
The guidelines you need then are based on the risks that you identify. If you feel that the service you are authenticating to stores passwords in plaintext, is hacked often, and stores data that is critical to you, then you might want to change your passwords quite often, no matter what the official guidance says.