Password Expiration

For anyone who follows infosec, or even just basic tech, news–NIST has made a landmark change to their password guidelines:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

The change came last month, with the NIST Special Publication 800-63B.  Now, to clarify, NIST cannot enforce these standards upon the private sector.  However, as a general best-practice, businesses incorporate the NIST standards anyway–a decision with which I personally don’t find any fault.

But a consequence of this has been the eternal password debate.  I jested at the very-popular entropy argument, and offered my own thoughts on the matter, specifically that the mathematical models change depending on how one views a password’s derived length.  And while this argument still continues, as least now we can finally acknowledge that once a “good” password has been created, the human elements create enough points of failure as to render any advantages of regular password changes negated.

I therefore beseech you, my employer: can we now please stop with the mandatory 90-day password changes?

–Simon