Periodic reminder that NIST does not approve of expiring passwords.
https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
@dreid I’m involved in a project with various TLA (three-letter-agencies) and I was surprised to see that their requirements involved an option for forcing password expiration.
At first I thought that they were just stupid, but it was because inherent to the project design is reliance on a shared password concept (it is, unfortunately, necessary to part of the design)
Password expiration DOES make sense in that SINGLE case, because there is no way to revoke passwords when someone resigns.
@gregvr You should rotate the password when they leave, not N days after they leave.
@dreid absolutely, but it assumes a level of operational competence…. :)