Massive phishing attacks gather large lists of passwords and/or hashes that are sold days, weeks, or months later. The buyers then work their way through the lists over the course of months or years. Changing passwords regularly makes these attacks less likely to be lucrative because the hit rate on the data drops as time passes.
Changing passwords regularly doesn't help much against a real-time targeted attack on a specific person or system. But it does reduce the value of aggregated stolen information that is sold on to third parties and abused at a later date.
Since we can't count on timely notification of data breaches (http://www.federaltimes.com/story/government/cybersecurity/2016/04/20/fdic-major-breach/83233956/), proactive password changing is a bit safer than changing passwords after a breach is discovered.
Slashdot Mirror
Massive phishing attacks gather large lists of passwords and/or hashes that are sold days, weeks, or months later. The buyers then work their way through the lists over the course of months or years. Changing passwords regularly makes these attacks less likely to be lucrative because the hit rate on the data drops as time passes. Changing passwords regularly doesn't help much against a real-time targeted attack on a specific person or system. But it does reduce the value of aggregated stolen information that is sold on to third parties and abused at a later date. Since we can't count on timely notification of data breaches (http://www.federaltimes.com/story/government/cybersecurity/2016/04/20/fdic-major-breach/83233956/), proactive password changing is a bit safer than changing passwords after a breach is discovered.