How Often Should Your Team Change Passwords? The Honest Answer

For years, IT departments have enforced the dreaded 90 day password change rule. You know the drill: just as you've memorised your password, a popup appears demanding you create a new one. Your team groans, creates "Password123!" becomes "Password124!", and everyone moves on.

But here's the thing: this approach is making your creative agency less secure, not more. The cybersecurity world has fundamentally shifted its thinking on password changes, and it's time your business caught up.

The Death of the 90 Day Rule

The National Institute of Standards and Technology (NIST) officially killed the mandatory password change requirement in 2017. The UK's National Cyber Security Centre followed suit, advising against regular password changes unless there's evidence of compromise.

Why the about face? Research showed that forcing frequent changes led to weaker passwords, not stronger security. When people know they'll need to change passwords regularly, they:

• Choose simpler passwords that are easier to remember
• Make predictable changes like adding numbers sequentially
• Write passwords down or store them insecurely
• Reuse variations across multiple accounts

For creative agencies handling sensitive client work and intellectual property, these behaviours create serious vulnerabilities.

When You Actually Should Change Passwords

Instead of calendar based changes, focus on event driven password updates. Here's when your team should immediately change passwords:

After a data breach: If any service your team uses reports a breach, change those passwords immediately. This includes client systems, creative software accounts, and business tools.

When someone leaves: Change shared account passwords within 24 hours of any departure, whether voluntary or not.

If you suspect compromise: Unusual account activity, unexpected password reset emails, or suspicious logins are red flags requiring immediate action.

After sharing credentials: If a password was shared via email, Slack, or spoken aloud, consider it compromised and change it.

For weak existing passwords: Any password under 12 characters or containing dictionary words needs updating now, regardless of age.

What Makes a Password Actually Secure

Length trumps complexity every time. A 16 character passphrase like "coffee studio london 2026" is exponentially harder to crack than "P@ssw0rd1!" despite looking less "secure".

Here's what actually matters:

Length: Aim for minimum 14 characters, preferably 16 or more

Uniqueness: Every account gets its own password, no exceptions

Randomness: Avoid personal information, company names, or predictable patterns

Storage: Use a password manager, never browsers or sticky notes

The Password Manager Solution

Password managers are non negotiable for modern businesses. They generate unique, complex passwords for every account and remember them so your team doesn't have to.

For creative agencies, we typically recommend:

Business focused solutions like Bitwarden Business, 1Password Business, or Keeper Business that offer:

• Secure password sharing for team accounts
• Admin controls and reporting
• Integration with single sign on systems
• Audit trails for compliance requirements

Expect to budget around £2 to £4 per user monthly. Given that a single data breach can cost UK SMEs an average of £65,000, this is remarkably cost effective protection.

Multi Factor Authentication: Your Safety Net

Even with strong passwords, multi factor authentication (MFA) is essential. It ensures that even if passwords are compromised, accounts remain protected.

Prioritise MFA for:

• Email accounts (especially admin accounts)
• Cloud storage and file sharing
• Creative software subscriptions
• Financial and banking systems
• Social media business accounts

App based authenticators like Microsoft Authenticator or Google Authenticator are more secure than SMS, which can be intercepted.

Implementing Change in Your Agency

Rolling out new password policies requires careful change management. Here's how to do it without revolt:

Start with leadership: Have directors and senior staff adopt password managers first. Their buy in makes company wide adoption easier.

Provide training: Run short sessions showing how password managers work. Many people resist because they don't understand the tools.

Phase the rollout: Begin with the most critical accounts (email, banking, client systems) before tackling everything else.

Set realistic timelines: Give teams 30 to 60 days to transition fully. Rushed implementations create frustration and shortcuts.

Actionable Steps for Today

You can start improving password security immediately:

1. Audit your current policy: If you're still forcing regular password changes, stop. Update your IT policy to focus on strength over frequency.

2. Identify critical accounts: List all business critical systems and prioritise them for strong password implementation.

3. Research password managers: Compare business solutions and budget for implementation. Most offer free trials.

4. Enable MFA where possible: Start with email and cloud storage accounts. These often take minutes to configure.

5. Plan team communication: Draft emails explaining the changes and why they matter. Transparency reduces resistance.

The Bottom Line on Password Changes

Your creative agency should change passwords when there's a security reason, not because the calendar says so. Focus your energy on implementing strong, unique passwords protected by multi factor authentication. This approach provides significantly better security while reducing the daily friction that makes teams circumvent security measures.

The goal isn't perfect security (impossible) but practical security that your team will actually follow. Strong passwords that don't change unnecessarily, managed by proper tools, with MFA as backup protection.

Need Help Securing Your Agency?

Implementing modern password security across your creative agency doesn't have to be overwhelming. WaveIT Solutions specialises in helping London based creative and professional services firms build practical, effective IT security.

Our free IT security health check tool at waveitsolutions.co.uk/tools/health-check can identify password vulnerabilities and other security gaps in your current setup. It takes just five minutes and provides immediate, actionable recommendations tailored to your business size and sector.