Knowing which passwords are stale is the hard part of good password hygiene. This scheduler turns a pile of last-changed dates into a single prioritised list so you always see what is overdue and what is coming up, without ever handling the passwords themselves.
The debate on password rotation
Security guidance on password rotation has shifted significantly over the past decade. The old model — force everyone to change every 90 days — was well-intentioned but backfired: users subjected to frequent forced changes responded by picking predictable patterns (Summer2024! → Autumn2024!) or by incrementing a number. The result was weaker passwords, not stronger ones.
NIST SP 800-63B (the current US federal guidance on authentication) now explicitly recommends that verifiers should not impose periodic password expiry unless there is evidence of compromise. The UK’s NCSC holds a similar position.
However, that guidance applies to mandatory rotation without a trigger. Sensible voluntary rotation still makes sense in specific situations:
- When a service you use suffers a breach (rotate immediately)
- When you suspect a device you used has been compromised
- When you leave an organisation and shared accounts were involved
- For very high-value accounts (banking, primary email) where a 90-day cadence gives peace of mind
This scheduler lets you set your own policy per account category — whether that follows the old-school 90-day rule, a modern breach-triggered approach, or somewhere in between.
How it works
For each service you record three things: a name, a category and the date the password was last changed. The category determines a rotation interval, and the next due date is a simple addition:
dueDate = lastChanged + intervalDays(category)
The default intervals are:
| Category | Interval | Rationale |
|---|---|---|
| Critical (banking, email, root) | 90 days | High-value targets; breach impact is severe |
| Work / SSO | 180 days | Often behind corporate controls but used on shared networks |
| Personal accounts | 365 days | Lower stakes; rotate more on breach notification |
Each entry is then classified by how many days remain until its due date: overdue if the date has passed, due soon if within 14 days, otherwise ok. The list is sorted so the most urgent items rise to the top.
Privacy by design
Only the service name, category and date are kept. No password, hint or secret is ever requested or stored. Everything lives in your browser’s localStorage, so the data never leaves your device and there is no account to create.
Practical workflow
- When you change a password, immediately update the entry in the scheduler with today’s date. That resets the countdown.
- Check the scheduler weekly or monthly — the overdue section tells you what to do first.
- For breach notifications (email from services like HaveIBeenPwned or a company’s own notice): rotate the affected account immediately, regardless of where it sits in the schedule.
- Pair this scheduler with a proper password manager and two-factor authentication. Rotation is one layer; unique, strong passwords and 2FA add the others.
Because storage is local, your list will not follow you to another browser or device. That trade-off is what keeps it completely private.