> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (page 14)
What's new in 2024's draft is changing this from "SHOULD NOT" to "SHALL NOT"
navjack27
The most annoying thing in the past years has been some of my government assistance accounts and other things that have limited character set definitions and forced rotation. Even though I use a password manager that's local on my computer for this stuff it's still utterly frustrating because of the way they handle it. I've had to call up and reset passwords because something in the middle during the rotation or before the rotation even began and I ignored the changing of the password for long enough that the account was just unusable.
do you see how what I end up having to do absolutely circumvents the security of rotating a password.
icedchai
I work with several organizations that force password changes. I add month/year of change to the "base" password every 2 to 3 months. It's a total waste of time.
fire_lake
If password rotation is a bad idea, how do you deal with password compromises and credential stuffing attacks? Passwords tend to leak eventually.
Modified3019
Naturally, Windows 11 seems to sometimes auto enable password expiration.
bitwize
Not if you have security compliance rules you need to comply with in order to get customers, and those rules stipulate a password rotation schedule!
[PDF] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (page 14)
What's new in 2024's draft is changing this from "SHOULD NOT" to "SHALL NOT"