| ▲ | thaumasiotes 3 hours ago | |
>> Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised. > though not strictly matching NIST, some ops find a never require change hard to swallow. I think they're right about that. A scheduled change just represents the accumulating probability that there's been a compromise somewhere that didn't come to your attention. It seems like it would make more sense for a scheduled change to affect all passwords at once, though. | ||
| ▲ | GTP 3 hours ago | parent | next [-] | |
There has to be some balance though, as requiring change too frequently encourages the use of insecure but easy to remember passwords, or password that are very similar to the previous one thus failing the purpose of the change (e.g. a password containing the year, and the employee only changes the year every time). Best would be pushing for the use of a password manager or auth tokens like Yubikeys. | ||
| ▲ | tracker1 2 hours ago | parent | prev [-] | |
On changes, as I've mentioned in other threads, I don't think once a year is too bad... also, I'm an advocate of SSO as much as possible with a strong MFA (ideally push selection) option for work orgs. It reduces friction and can actually improve overall security if appropriately managed... that said, building internal apps that have appropriate application access is often harder still in these environments. | ||