New web leaks are being reported regularly. In the last month Google uncovered what is likely the most troubling leak in 2017. So far. And we're just past halfway through March. The CloudBleed bug may have exposed passwords and other sensitive data from a multitude of sites, including major services like FitBit, Uber, and 1Password. We recommend clients change their passwords at least every six months, and immediately after discovering any vulnerabilities to your accounts.
When changing their passwords, clients often ask what the requirements are. I respond with the common minimum requirements: it must include at least two numbers, two upper case characters, and it must be a minimum of 12 characters long. Unfortunately, that question often indicates an intention to meet the minimum and no more. Although meeting those basic requirements is a good practice, the best practice is having a unique password that exceeds the minimum, that is also personal enough to remember, and that only you will know.