The “change often” is falling out of favour with the cybersecurity community…a complex & unique password doesn’t lose security with time so changing it really doesn’t help. And changing has a human psychology issue that we tend to pick easier passwords because we have to keep changing them.

Complex is to prevent a “dictionary attack” (just guess common words). The error emails/lockouts are also designed to prevent this type of attach, but many website don’t use those so it’s not foolproof.

Using some mix of case, numbers, and symbols makes it *much* harder to brute-force attack a password because it hugely expands the number of possible passwords.

Changing often, in theory, is to protect against our habbit of using the same password on multiple sites (unfortunately very common). This means that if one site is compromised, it compromises multiple sites. Changing the password “resets the clock” and prevents the damage from spreading too far.

The best thing to do is use a password manager you can trust that makes very long, very complex, unique passwords for each site.

Passwords should never be reused between multiple websites. If a malicious actor figures out a password to one service, they may try that same username and password combination elsewhere.

Also, in the event that a database of usernames and hashed passwords is leaked, a complex password would take longer to figure out by a brute force attack, and wouldn’t appear in a precomputed table of hashed possible passwords (such rainbow table attacks can also be rendered useless by using individual “salts” per user.)

Blocking attempts after a few tries makes a brute force attack difficult.

For someone trying to brute force passwords there are 2 possible ways to do it:

Try lots of different passwords on the same account.

Rules that lock the account after a set number of failed attempts help prevent this.

Try a commonly used password on lots of different accounts

Locking individual accounts doesn’t help much here: if they only try one or two common passwords it’ll never hit the limit on any one account.

In the past, these protection measures didn’t exist. Meaning if I was trying to hack your e-mail, all I would have to do is know your login name (not particularly hard if I know your name and what company you work at – Oh your Jeff fakename and you work at FakenameIncorporated -> jFakename(atSymbol)fakenameinc.org). All I would have to do is setup a program that auto feeds your login name, and an ever changing password that starts by trying “a”, then “b”, then eventually “aa”, then eventually “aaa” etc etc etc and I will eventually get in. Most accounts didn’t have protections against this.

Eventually people wised up and realized that takes a long time, so let’s optimize the order that it tries things, let’s run through all the words in the dictionary first, because that will probably save a lot of time.

That’s the basics of a brute force attack.

Now, most places recommend using a complex password that’s not repeated anywhere because they have those protections that protect against people for trying literally every possible combination of words letters and symbols it could be. If they detect a set number of failed login attempts, they know to lock the account. But there’s always the chance that one of those entries just so happens to match your password on the first 5-10 tries before your account gets locked. So they tell you to use something unique and complex just so that slim chance can’t happen.

You specifically mention you get an e-mail, that’s another added layer of protection called two factor authentication (2FA) but that is largely moving on to a seperate, second password system (usually by sending a one time use code somewhere) or a phone call rather than e-mail nowadays. That came about as keyloggers as viruses became more and more common. Keyloggers basically are viruses/worms that infect a computer and just track all of the keystrokes that someone makes. Think of it as I’m standing behind you and looking at what you type in as you type in your password. 2FA helps to get around that, because now that is another system that the person would have had to infect in order to get into your account (hence why they are moving away from e-mail, because one keylogger on a computer can also get you that person’s e-mail login to verify yourself).

tl:dr – You are right, but that is exactly what those issues are there to do.