SysAdmin1138 is a user on octodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
SysAdmin1138 @sysadmin1138

US NIST SP-800-63B is FINAL. It includes this gem IN THE STANDARD:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different
character types or prohibiting consecutively repeated characters) for memorized secrets.

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
However, verifiers SHALL force a change if there is evidence of compromise of the
authenticator

octodon.social/media/2eOn3CQnK

SysAdmin1138 @sysadmin1138

This does indeed say that forced password rotations are a bad idea and you shouldn't do them. It also says password composition rules are a bad idea, and you shouldn't use them.

Elsewhere they go into the reasoning on that. See Appendix A for the details of why the think this. User-factors!

· Web · 0 · 1
SysAdmin1138 @sysadmin1138

Oops, have a link.

nvlpubs.nist.gov/nistpubs/Spec

octodon.social powered by Mastodon