People often ask "Why does website X force me to change my password? It is annoying" or similar questions.
This page tries to answer that.
It is considered good security practice to change passwords regularly.
Why?
Because the longer you use a password, the larger the chance/probability of it being known to somebody else ("leaked"). And password can be leaked in a plethora of ways - e.g.:
-
by yourself: Somebody looking over your shoulder can see you typing your password, Or you may be one of those (annoying) people who mumble the letters while typing them (yes: such people exist!). Or you may accidentally type in your password in the wrong field (yes: it happens). It could be a simple innocent mistake that you may not give a second thought to, because you were busy with something else. And having to enter "that damn password" was merely considered an obstacle.
-
websites leak data with a depressing regularity. Some of the data that they leak are passwords. Any decent website should at most be storing a salted hash of your password, but horror stories of web sites storing the passwords in plain text do exist. And as a user, you have now way of being sure that a website takes the necessary security precautions, unless they're being exceptionally careless and ignorant about it. Even Instagram was caught storing passwords way worthy of many facepalms. This is also why you should not re-use passwords.
-
to a man-in-the-middle. Clicking on the link in that email which warned you that your paypal account has been locked and you need to “confirm” your identity are common. Lots of people happily enter their usernames/passwords in there, thinking they are talking to e.g. PayPal when they are not). Scammers have developed similar scams for most commonly used websites. Or your traffic could have been captured because you stupidly clicked on the “ignore SSL certificate validity” button. It only takes one mistake here.
When a password is leaked like this, it may take some time before a hacker/scammer/criminal actually use it. E.g. if a 6-month-old backup of some website database is leaked onto the dark web for all to see, this may expose your password as it was at the time. If the password is unchanged, you are a potential victim.
Passwords are bought and sold on various "dark web" sites all the time - and commerce takes time. Having to do commerce out of sight of any authorities does not make it faster. Criminals being criminals, many are quite happy to sell old passwords, while marketing them as new; everybody knows the buyer is unlikely to call the police. The authorities are generally quite ineffective when dealing with the problem anyway.
For most ways of “leaking” a password, you would not know it had been leaked. The criminals aren’t going to tell you. A website which got hacked cannot be relied upon to inform you: They're often not even aware of the problem, usually discover it long after the event, may delay in telling users or just decide to keep the problem quiet to avoid looking bad.
You will live in blissful ignorance until one day you cannot log into the account because somebody else changed your password. By the time you find out: it is too late.
Changing your password regularly helps reduce that risk. Just like not re-using passwords also helps.
But changing passwords is annoying. So lazy (ahem... "less security conscious") people will only want to remember a small number of passwords. So they end up re-using them.
And re-using passwords (e.g. just switching back-and-forth between "my 2 good passwords") defeats the whole point of regularly changing passwords: It is the equivalent of "sitting on the seatbelt to stop the car from complaining": The website (or car) is trying to help users with their security.
And since web sites know they cannot rely on users defeating the whole point, they often store (hashes of) the last few passwords you hvae used, and prevent you from using them again. And yes: The databases of "old passwords used by users" also get leaked with alarming regularity.