Change Your Password Day: A Useless Recurring Event

It's 'Change Your Password Day' again today, February 1st, 2026! Have you changed all your passwords yet? No? That's perfectly fine!

Originally, the idea of reminding people to change their passwords at least once a year and promoting their change still had its charm. Back then, it was common to protect access only with a username and password. Furthermore, there were usually no requirements regarding length and complexity. However, this has changed significantly since then – fortunately! –

Multi-factor authentication has now become the standard. For example, using an authenticator that generates a new access code every 30 seconds, users must provide proof of possession of a second factor as proof of identity. Worse options include one-time codes sent via email when attempting to log in, or possibly even worse, time-based one-time passwords sent via SMS. The Chaos Computer Club (CCC) also warns against the latter option.

Password Future: Passkeys

Certificate-based security, which also works comfortably for users with biometric authentication, is offered by Passkeys. They are being adopted by more and more services and offerings, with all major players in the market already on board – such as Google, Microsoft, and Apple. Meanwhile, password managers can also handle them, so they are no longer just useful for managing old password-protected access. These can also detach passkeys from devices and make them usable on multiple devices, such as PCs, tablets, and smartphones.

Looking back, it should be added that forced regular password changes, for example, do not have the desired effect of improved security. Quite the opposite: affected users often come up with simple schemes that result in easily guessable passwords, for example, based on a root word and a sequential number, such as “Passwort999”.

Even the relevant authority for Germany, the Federal Office for Information Security (BSI), points out that password changes are a thing of the past. This is reflected, for example, in the BSI IT-Grundschutz guidelines, under section ORP.4.A23: “IT systems or applications SHOULD ONLY prompt for a password change for a valid reason. Purely time-based changes SHOULD be avoided.” The US National Institute of Standards and Technology (NIST) echoes this sentiment: “Verifiers (who perform authentication) and Credential Service Providers (CSPs) SHALL NOT require subscribers to change passwords periodically. However, verifiers MUST enforce a change if there are indications that the authentication has been compromised.”

Therefore, when one should *change a password* is easy to answer. This is necessary *if there is suspicion that an access has been compromised and the password has likely fallen into the wrong hands*. In such a case, the second factor should still be effective, but a swift change is urgently recommended.

The password memorial day is therefore no longer contemporary. The tips have merely been repeated for years. Here is a collection:

• Change Your Password Day 2025: “Change Your Password Day: Counterproductive Tip”
• Change Your Password Day 2024: “'Change Your Password' Day: Why Changing Your Password Hardly Helps”
• Change Your Password Day 2023: “Change Your Password Day: Exceptionally yes, please!”
• Change Your Password Day 2022: “'Change Your Password' Day? Better: 'Activate 2FA'!”

The question that remains in the end: Creating such a memorial day is obviously successful. But when the topic has become obsolete, how do you end it? We will probably have to keep asking ourselves this question for the next few years.

(dmk)