Security Answers in Plain English: Why Do I Have to Change my Password Every 30/60/90 Days?

Back to Blog
January 23, 2018
Mike Talon

Security in Plain English Series

What is Two-Factor Authentication?
Why Do I Have to Change my Password Every 30/60/90 Days?
Office 365 Phishing
What is a DDoS Attack?
What are Red, Blue, and Purple Teams?

Why Do I Have to Change my Password Every 30/60/90 Days?

My company makes me change my password every so often.  Why do they make me do this even if we haven’t been breached or anything like that?

The answer is simple, and there are two reasons why this policy is standard for most companies.  The first is protection against stuff that hasn’t happened yet.  The second is protection against stuff that has happened – just not to your company.

Basically, most IT departments will make you change your password once every set number of days.  It will most likely be 30, 60, or 90 days; as those are pretty common timeframes and also the default numbers for a lot of corporate software.  One reason behind the practice is to defend the company data systems against being invaded because of some other website or company getting hit with a data breach.  Most users will re-use passwords on multiple websites and for multiple purposes. That means that if Yahoo or Uber get breached – and both have in the last few years – and you used the same password for those sites and your work login; the attackers now have your work login too.  By making you change your password regularly, your company is basically making it harder for attackers who have data from some other place use that information on your company’s network.

The second reason is to protect against possible attacks against your company itself.  Keep in mind that for most of us; our usernames are either some combination of our first and last initials/names, or our email addresses.  Both of those pieces of information are publicly available, meaning just about anyone who wants to attack your company will have access to one half of your login information.  These attackers can then use multiple methods to try different combinations of potential passwords, along with your known username, to break into the company data systems.  By having you regularly change passwords, this process becomes harder for the attackers to do successfully.  It’s not a perfect system as the attacker can have up to 30-90 days to perform their attack, but it does make things harder on them.  Since going after easier targets is always preferable to going after harder ones, the idea is that the attacker won’t feel like going after your company if there’s one that’s going to be easier for them to break into.

As you can see, requiring that passwords be changed on a regular basis isn’t just to protect against the chance that someone stole your password.  It can defend the company against being attacked with passwords that were used on other sites which did get breached.  It can also help derail attackers who are only looking to figure out one half of the total login.  Either way, the minor inconvenience of changing your password once a month (or two or three) is nothing compared to the damage either of these situations could cause without that policy in place.

Security Answers in Plain English is a regular column here on the SecureAuth blog, aimed to help end-users understand why IT Security enforces policies and how to best protect themselves in a digital world. If you have a question for this blog, email us at [email protected] and let us know!

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

SecureAuth Authenticate App

Passwordless MFA client with
Symbol-to-Accept. Stronger security.

The Value of Deploying Multi-Factor Authentication in a Digital World

Value of Deploying Multi-Factor Authentication in a Digital World

Read this white paper to gain insights and understanding of why passwords create risk and blind spots for organizations and their users.


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Analyst Reports



Recorded Webinars

Innovation Labs

Support Portal

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth