Overview
- Germany’s BSI and the U.S. NIST advise against routine, time-based password changes and recommend requiring changes only after signs of compromise.
- Experts urge using strong, unique passwords for every account, stored in a password manager that can flag weak or reused credentials.
- Two-factor authentication is now standard practice, with authenticator apps or hardware keys preferred over SMS codes, which the CCC warns are vulnerable.
- Passkeys based on cryptographic credentials are gaining broad support from Google, Microsoft, and Apple, and major password managers now help use them across devices.
- Consumers are encouraged to use the annual reminder to audit accounts and replace weak credentials or adopt passkeys rather than changing secure passwords on a schedule.