hngopher.com

       [HN Gopher] Forcing people to change their passwords is official...
       ___________________________________________________________________
        
       Forcing people to change their passwords is officially a bad idea
        
       Author : Brajeshwar
       Score  : 43 points
       Date   : 2024-09-27 15:30 UTC (7 hours ago)
        
 (HTM) web link (www.newscientist.com)
 (TXT) w3m dump (www.newscientist.com)
        
       | wlesieutre wrote:
       | Forcing periodic password changes has been against NIST
       | recommendations since 2017
       | 
       | [PDF]
       | https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
       | 
       |  _> Verifiers SHOULD NOT require memorized secrets to be changed
       | arbitrarily (e.g., periodically). However, verifiers SHALL force
       | a change if there is evidence of compromise of the
       | authenticator._ (page 14)
       | 
       | What's new in 2024's draft is changing this from "SHOULD NOT" to
       | "SHALL NOT"
        
       | bitwize wrote:
       | Not if you have security compliance rules you need to comply with
       | in order to get customers, and those rules stipulate a password
       | rotation schedule!
        
         | bulte-rs wrote:
         | Perhaps anecdotal, but I have never got any negative response
         | on answering "no, we do not enforce password rotation as this
         | is against NIST recommendations."
        
           | suid wrote:
           | Unfortunately that's not how it plays out in most large
           | organizations, which have separate network, hypervisor,
           | security, etc., teams. Everyone works off a playbook, whose
           | origins are usually lost in time and space.
           | 
           | If you want them to change the playbook, it'll involve some
           | schlub having to run from pillar to post between those
           | organizations, trying to get everyone to agree to a change to
           | this policy, and you can bet he or she is not paid or
           | motivated to do this. If another vendor comes along who will
           | go with the flow, they get the sale.
        
       | Modified3019 wrote:
       | Naturally, Windows 11 seems to sometimes auto enable password
       | expiration.
        
       | icedchai wrote:
       | I work with several organizations that force password changes. I
       | add month/year of change to the "base" password every 2 to 3
       | months. It's a total waste of time.
        
       ___________________________________________________________________
       (page generated 2024-09-27 23:02 UTC)