• bandwidthcrisis@lemmy.world
    5·
    4 days ago

    if an organization is following the latest NIST guidance, you’re not changing your password on a regular cadence anymore.

    Lol.

    • sylver_dragon@lemmy.worldEnglish
      2·
      4 days ago

      Sadly, yes a lot of organizations didn’t get the memo. But this really is the current guidance. In NIST 800-63B Section 5.1.1.2:

      Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.