| ▲ | nvgrw 2 days ago | |
Every time I log into the FTB (CA tax authority) website I have to set a new password. I wish there were some affirmative guidance to stop doing this because at the moment governments still think forcing password changes makes it “safer”. | ||
| ▲ | dragonwriter 2 days ago | parent [-] | |
> I wish there were some affirmative guidance to stop doing this because at the moment governments still think forcing password changes makes it “safer”. NIST SP 800-63B-4 [0] seems to be pretty clear “affirmative guidance”, though its only actually legally required in certain circumstances. [0] https://pages.nist.gov/800-63-4/sp800-63b.html @ 3.1.1.2: “[...] Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised. [...]” | ||