wlesieutre
6 hours ago
Forcing periodic password changes has been against NIST recommendations since 2017
[PDF] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (page 14)
What's new in 2024's draft is changing this from "SHOULD NOT" to "SHALL NOT"