The offers on this page are from advertisers who pay us. That may influence which products we write about, but it does not affect what we write about them. Here's an explanation of how we make money and our Advertiser Disclosure.
You’ve probably heard that familiar “change password” advice a lot: If you bank online, change your password on a regular basis. Change it now, change it often; you can’t change it enough.
But provided you have a strong password, that advice is actually outdated, even though the odds of having your bank account hacked are on the rise. In 2023 (the last year these numbers were compiled), the IC3 (Internet Crime Complaint Center) received 880,418 cybercrime complaints from the American public, with financial losses reported that were over $12.5 billion, according to the Federal Bureau of Investigation. That was an almost 10% jump in complaints from the year before and represented a 22% increase in losses.
Anecdotally, JPMorgan Chase, one of the world’s largest banks, recently stated that it has seen a sizable increase in cyberattacks on its financial institution.
So how often should you change your bank password? Read on for some guidelines, and advice for creating a strong password.
How often should you change your bank passwords?
There is a lot of conflicting advice on the web, and that’s partially because there’s old advice on the internet intermixed with the new. Typically, several years ago, you’d get advice suggesting that you should change your bank passwords every three months.
You don’t hear that as much for a lot of reasons. For starters, changing bank passwords can get onerous. In fact, some experts suggest that if you change your password too frequently, you’ll make your money less safe because you might be more prone to coming up with easy-to-remember (and easy-to-hack) passwords.
In fact, three cybersecurity experts contacted by Yahoo Finance all said generally the same thing: You actually don’t have to change your bank password at all, provided it's a really good password.
“I don’t think it is generally necessary to change your password more than once a year,” said Steve Weisman, senior lecturer of law, taxation, and financial planning at Bentley University in Waltham, Mass., and author and creator of Scamicide.com, a cybersecurity and identity theft information website.
“As long as the user implements a long and strong password, and that password is unique to that specific account, then there really isn't any other reason to change it,” said Robert Siciliano, the CEO of ProtectNowLLC.com, a company that offers cybersecurity employee training.
Fred Scholl, associate teaching professor of cybersecurity and director of the cybersecurity program at Quinnipiac University in Hamden, Conn., also concurs that if you have an impressively intricate password, you really don’t need to change it.
Read more: Is mobile banking safe? How to keep your personal data secure.
When should you change your bank password?
Everyone agrees that there are caveats when it comes to the “change password” advice. Ideally, Scholl says, your strong password is complex, and your bank needs to support multi-factor authentication. That’s when your bank verifies your identity with more than just a password. For instance, maybe your financial institution also texts you a one-time code when you want to get into your bank app or offers facial recognition.
Weisman and Siciliano both say the once-a-year or never change password advice should be junked if your bank has had a recent data breach. In that case, you would change your bank password immediately.
But otherwise, if your bank is as protected from cyberattacks (as it probably says it is), there’s no reason to keep constantly changing your password.
Read more: 6 important security features to look for in a bank
Tips for creating a strong banking password
There are a number of ways you can create a strong password. Some dos and don’t include:
Do: Use a complex password. Your password should contain more than 12 characters, according to Scholl. That’s in line with what Google recommends.
Don’t: Use the same password for all of your websites. If a hacker figures out one password for your banking website, they can now get into all of your websites.
Don’t: Use names of pets in your password. If a hacker has been stalking your social media, they know the names of your pets. Now, it’s another story if your pet-themed password is broken up with symbols and numbers. “Rover123!” would be a lousy password, but “Ro!ver$#@123!” would be much better.
Don’t: Use the word “password” in your password. You’ve probably heard that, but it’s done often, and hackers know it. It’s also not recommended to go with something like, “pass1@word.” The hackers are well aware of those tricks, too.
Do: Use a password manager. Scholl is a fan of storing a strong password in a password manager — a software program that stores your passwords in your phone or device for you — since you’re not going to remember multiple, complex 12-character passwords. “Some are free, some are low cost,” he said.
So instead of trying to think of something creative and hack-free and then remembering it, you let the password manager do the creating and remembering for you.
Do: Use a passphrase. If you don’t want to use a password manager, Siciliano suggests going with a passphrase. A passphrase can be a very strong password, and it can be your ticket to not having to change passwords every few months.
“A passphrase such as ‘I love Harleys’ could be turned into ‘1Love1986!Harleys,’ which would be considered long, strong, hard to hack, and hard to crack,” Siciliano said, adding: “That is, of course, as long as you're using a different passphrase for every account.”
Bottom line
It may help to think of yourself as being in a partnership with your bank. Your bank is presumably doing everything it can to keep your money safe. And if you do your part by developing a strong password, going through the “change password” hassle should be a rare thing going forward. Between the bank’s own security measures and your strong password, your funds should be completely safe.