@Edent NIST guidelines (https://pages.nist.gov/800-63-3/sp800-63b.html#sec5) provide valuable information on best practices for password management and security. A memorised secret (password) should only be changed when it is no longer a secret. In this case, since WordPress.com is not verifier compromise-resistant, I would change my password. NOTE: WordPress is an open-source content management system (CMS), while WordPress.com is a managed service from Automattic. #infosec infosec NIST Special Publication 800-63B