[mjevans]

The company I _used_ to work at, I implemented exactly that policy and only required rotation after a password reset (like initial account assignment), and should it have ever happened, after any sign of account or credential breach.

I was so happy when NIST finally recognized that people aren't machines and can't perfectly remember a new strong password with high frequency.

[robertlagrant]

Yes, that is nice. Sadly some people will say things like "HIPAA compliance requires password rotation", which is I'm pretty sure wrong, but it happens. Still, we're pushing the above NIST line as we're really keen on improving actual security, and it's nice that it has the force of NIST behind it now.

[InitialBP]

Glad to hear you guys are making progress. Password rotation is definitely more of a hindrance than a help and is a big reason that you end up with Spring2025! style passwords for sure.

I think the industry is realizing that less is more when it comes to passwords and we're starting to see far more adoption of password managers and a bigger focus on getting SAML/SSO login options for SaaS tools, even if they are often gated behind paywalls or "enterprise" plan options.

Now that I'm in a more "defensive" position my primary focus on the credential front has been pushing password manager adoption across the org and looking for good opportunities to showcase that password managers are both significantly faster and easier to use if people are willing to change their workflow.

[icameron]

LOL Spring2025! is basically my password for an agency that requires rotation every 42 days and doesn't allow any repeats of the last 24 password. Further irony is the pattern of SeasonYear! is something that I only started doing when IT had to reset my password and they used that pattern. (when the account automatically locked out because I didn't update before their 42 days)... I am completely convinced that mandatory password rotation is counter productive

[rwmj]

The company my wife uses for annual PCI-DSS recertification (a computer security / CC handling certification) requires that the password be changed every year. So that's once per login.