A rebuttal is in order, because I've seen this argument before:
First: assuming a long, slow, undetected brute force is running, you have just as many chances at the beginning of helping the attacker by moving closer to their starting point as you do increasing the distance. It's the same whether you change it or not.
Second: a long, un-detected brute force? Bull.
Third: decent passwords negate brute forces entirely. Trillions-of-years entirely. We've established that changing passwords when you have a horribly insecure system might minimally improve things, but we have not established that changing secure passwords in any way helps.
About 6 years ago this happened to us. A slow but persistent SSH brute force was targeting one of our servers. After we spotted it (it was an SSH brute force and because it was slow we didn't detect it over the noise of general SSH scans on port 22) we switched to public key auth only on the server and installed fail2ban.
A rebuttal is in order, because I've seen this argument before:
First: assuming a long, slow, undetected brute force is running, you have just as many chances at the beginning of helping the attacker by moving closer to their starting point as you do increasing the distance. It's the same whether you change it or not.
Second: a long, un-detected brute force? Bull.
Third: decent passwords negate brute forces entirely. Trillions-of-years entirely. We've established that changing passwords when you have a horribly insecure system might minimally improve things, but we have not established that changing secure passwords in any way helps.