|
|
|
|
|
|
by user5994461
3474 days ago
|
|
|
> The rationale was that if, password hashes got compromised, the attacker would only have until the next forced rotation to crack the passwords and take over accounts. In all fairness, it's a fair assumption. There is an attack vector where one gets an old password from 8 years ago by whatever means... and it is still valid. The execution was terrible though. People started forcing password change every month [which is overkill to stop an attack that has a multi year timespan] and it created a whole new set of disasters. |
|
|