For anyone who follows infosec, or even just basic tech, news–NIST has made a landmark change to their password guidelines:
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
The change came last month, with the NIST Special Publication 800-63B. Now, to clarify, NIST cannot enforce these standards upon the private sector. However, as a general best-practice, businesses incorporate the NIST standards anyway–a decision with which I personally don’t find any fault.
But a consequence of this has been the eternal password debate. I jested at the very-popular entropy argument, and offered my own thoughts on the matter, specifically that the mathematical models change depending on how one views a password’s derived length. And while this argument still continues, as least now we can finally acknowledge that once a “good” password has been created, the human elements create enough points of failure as to render any advantages of regular password changes negated.
I therefore beseech you, my employer: can we now please stop with the mandatory 90-day password changes?
–Simon