SysAdmin1138 is a user on octodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse.
If you don't, you can sign up here.
US NIST SP-800-63B is FINAL. It includes this gem IN THE STANDARD:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different
character types or prohibiting consecutively repeated characters) for memorized secrets.
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
However, verifiers SHALL force a change if there is evidence of compromise of the
authenticator
@sysadmin1138 Finally, not that that will have a huge impact on websites for a long time.
@turi But now we have a thick wodge of paper to use to lobby for internal change!
@sysadmin1138 That will definitely help with websites big enough to have management :)
This does indeed say that forced password rotations are a bad idea and you shouldn't do them. It also says password composition rules are a bad idea, and you shouldn't use them.
Elsewhere they go into the reasoning on that. See Appendix A for the details of why the think this. User-factors!