Why Mandatory Rotation Can Backfire
When users are forced to change passwords frequently, they adapt by making minimal changes: incrementing a number, capitalizing a different letter, or rotating through a small set of passwords. These minor variations provide almost no real security benefit while creating friction that breeds resentment toward security policies.
When You Actually Should Change a Password
The right trigger for changing a password is a specific event, not a calendar date. Change it if the service reports a breach, if you suspect your account has been accessed, if you've shared it with someone who no longer needs access, or if you've typed it on a potentially compromised device.
The NIST Position
NIST's SP 800-63B explicitly states that verifiers should not require memorized secrets to be changed arbitrarily. The guidance recommends changes only when there's evidence of compromise. Most major security frameworks have moved in this direction.
Managing Breaches Proactively
Set up monitoring with HaveIBeenPwned to get email alerts when your email address appears in a newly discovered breach. This gives you the relevant trigger for password changes. Combined with unique passwords for every account, a breach of one service requires changing only that one password.
Change passwords when there's reason to, not on a schedule. Use breach monitoring services to get timely alerts, and rely on unique passwords per account so any single breach is contained.