You never know when somebody has access to your accounts. I learned the hard way that someone had access to my Facebook because they watched me type on the keyboard. Had I changed my password monthly, I would have kicked him out after 30 days. As it stand, that person had access to my account for at least a year if not more.
What the FTC link is advising against are corporate policies that require password rotation, because in practice it has been determined that this leads to users selecting even less secure passwords and/or writing down their passwords because they cannot remember them. If a user wants to voluntarily rotate their passwords, then that's in no way a problem as long as they aren't compromising password strength in the process.
You didn't have login alerts or approvals enabled? Those would've alerted you to the need for a password rotation instantly without needing to rotate complex passwords on a regular cadence.
If anything, I'd say your comment hardened my position against password rotation given how many mainstream sites with sensitive data expose extra security measures to their users. Take advantage of all of them!
You don't get login alerts if the person is using your wi-fi, a wi-fi where you once logged in (college, university, work...) or simply a computer you logged in one time (at that friend's place). That person could even disable them and you wouldn't be aware of it.
You can go on to facebook's privacy settings and disown previous logins. You are right that they don't let you manage it with enough specificity to prevent someone who's using the same IPV4 address and browser as you.
I'm running Chromium 54 on Arch Linux, which I am assuming is not affected, since that page only names version 53. Interestingly, there is no certificate problem on a Windows machine on the same network.
Stop saying that!
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-r...