wandering.shop is one of the many independent Mastodon servers you can use to participate in the fediverse.
Wandering.Shop aims to have the vibe of a quality coffee shop at a busy SF&F Convention. Think tables of writers, fans and interested passers-by sharing drinks and conversation on a variety of topics.

Server stats:

942
active users

dreid

Periodic reminder that NIST does not approve of expiring passwords.

pages.nist.gov/800-63-3/sp800-

> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

pages.nist.govNIST Special Publication 800-63BNIST Special Publication 800-63B

@dreid I’m involved in a project with various TLA (three-letter-agencies) and I was surprised to see that their requirements involved an option for forcing password expiration.

At first I thought that they were just stupid, but it was because inherent to the project design is reliance on a shared password concept (it is, unfortunately, necessary to part of the design)

Password expiration DOES make sense in that SINGLE case, because there is no way to revoke passwords when someone resigns.

@gregvr You should rotate the password when they leave, not N days after they leave.

@dreid absolutely, but it assumes a level of operational competence…. :)