|
|
|
|
|
|
by vegetablepotpie
1091 days ago
|
|
|
Many organizations go with B already. Usually with some arbitrary password update period, with more sensitive information requiring shorter periods. The user response is to choose a new password that is similar to the previous password to avoid loosing access due to forgetting. This means that an attackers best way to find the users current password, is to know their old password. NIST has recognized this, and advises against these policies: “Reset—Required only if the password is compromised or forgotten.” [1]. Best mitigation I see for systems that exclusively take password input is to use a user pin plus a PKI card or RSA key. [1] https://www.isaca.org/resources/isaca-journal/issues/2019/vo... |
|
|