I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two?
Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals.
It's pretty commonsensical once the threat is understood.
Does anybody have a good URL explaining that idea? It's been kicking around for many years. I've never seen a convincing writeup. Does your bank request/require that you change the PIN on your ATM card every few months? Security is a tradeoff. I think there are two cases for passwords. I'll call them important and junk. I'm willing to store the junk ones in a file or piece of paper that I'm careful with. I have to memorize the important ones. I'm only smart enough to memorize a few good passwords. If I change them every few months, they will be less good, or fewer of them. -- These are my opinions. I hate spam.