The people in charge of the internet are "cybersecurity" "professionals" who can't even follow NIST guidance.

Kaliboy 16 hours ago | parent | next [-]

It is with much hesitation that I write this, because I just implemented such a flow.

My reasoning was this: my customers keep forgetting their password and somehow that becomes a trigger to contact me. No passwords, no problem.

I tried convincing them to use password managers but that was pointless.

But I see the pain and frustration so I will add passwords. And I quite liked the passkey idea, have to see how that works. Not that my customers would ever use it, but I would. It literally never occured to me.

	▲	denkmoon 16 hours ago \| parent \| next [-]
		To be clear, no shade on actual devs faced with actual problems. My ire is reserved exclusively for the "we must do this because it is on the checklist, no I don't understand what a subnet is" people.
	▲	butvacuum 16 hours ago \| parent \| prev [-]
		Good to see my take verified. But, where does the buck stop? What if your phone relies on email, but your email needs your phone.

▲

technion 15 hours ago | parent | prev | next [-]

A lot of those same people seemed perfectly capable of insisting on 60 day password rotation back when they could use nist guidance as an authority to appeal to (for about five years after the recommendation changed too).

▲

readthenotes1 17 hours ago | parent | prev [-]

The "change your password every 6 months" guidance?

	▲	trumpdong 17 hours ago \| parent \| next [-]
		That was revoked some years ago.
	▲	denkmoon 16 hours ago \| parent \| prev [-]
		Specifically the revocation of such guidance. If the field gave even the slightest deference to empiricism we wouldn't be changing our password every 180 days, but here we are.