Current best practice in cybersecurity is to not arbitrarily ask users to change passwords every x days, so any site doing this are following old guidelines.
Yes, because among other things this annoys users into just writing down their password on a Post-It and sticking it to the bottom of their keyboard or monitor ripe for any passerby to take.
I have explained this to various management types repeatedly over the decades and nobody seems to get it.
The folks at NIST know what they’re talking about. The US government directed them to develop security policy for government information systems in 2002 (FISMA) - they’ve been thinking about how to do this properly for 24 years.
If you happen to work for a US government agency of any kind, you can basically tell your boss “NIST guidance says we should do X” and compliance is technically required by law (within the context of security policies that apply to your agency’s work area). If you work for a company that does business with the US government, there are similar compliance policies also published by NIST that you should be following (and your company could lose its contracts if it is not compliant).
Fuck the cyber idiots and their “change password” requirements.
Current best practice in cybersecurity is to not arbitrarily ask users to change passwords every x days, so any site doing this are following old guidelines.
Yes, because among other things this annoys users into just writing down their password on a Post-It and sticking it to the bottom of their keyboard or monitor ripe for any passerby to take.
I have explained this to various management types repeatedly over the decades and nobody seems to get it.
I’ve had success directing people to the NIST password policy guidance.
Wow it’s almost as though somebody in there reads xkcd and knows about correct horse battery staple!
The folks at NIST know what they’re talking about. The US government directed them to develop security policy for government information systems in 2002 (FISMA) - they’ve been thinking about how to do this properly for 24 years.
If you happen to work for a US government agency of any kind, you can basically tell your boss “NIST guidance says we should do X” and compliance is technically required by law (within the context of security policies that apply to your agency’s work area). If you work for a company that does business with the US government, there are similar compliance policies also published by NIST that you should be following (and your company could lose its contracts if it is not compliant).
Static password with good 2FA is the way to go.
I ran into some app a while back that required 2fa “text you a code” to log in every time.
If you put in the wrong password, it still sent you the 2fa… Which it would accept for login.
I’m honestly not sure if it ever even checked the password.
I’ve seen an increase of sites that bypass passwords altogether and rely on 2fa (claude.ai was one I noticed the otherday)
That’s… not 2FA anymore. It’s reverted to 1FA, now with sprinkles on it.