6 hours ago
Forcing periodic password changes has been against NIST recommendations since 2017
[PDF] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (page 14)
What's new in 2024's draft is changing this from "SHOULD NOT" to "SHALL NOT"
35 minutes ago
I work with several organizations that force password changes. I add month/year of change to the "base" password every 2 to 3 months. It's a total waste of time.
an hour ago
Naturally, Windows 11 seems to sometimes auto enable password expiration.
5 hours ago
Not if you have security compliance rules you need to comply with in order to get customers, and those rules stipulate a password rotation schedule!
an hour ago
Perhaps anecdotal, but I have never got any negative response on answering “no, we do not enforce password rotation as this is against NIST recommendations.”
an hour ago
Unfortunately that's not how it plays out in most large organizations, which have separate network, hypervisor, security, etc., teams. Everyone works off a playbook, whose origins are usually lost in time and space.
If you want them to change the playbook, it'll involve some schlub having to run from pillar to post between those organizations, trying to get everyone to agree to a change to this policy, and you can bet he or she is not paid or motivated to do this. If another vendor comes along who will go with the flow, they get the sale.