[kstrauser]

Ah-yup. The equivalent in my world is contracts that insist we make our employees rotate their passwords every 2 months or whatever, which was a popular (but still dumb) idea 20 years ago and is strongly recommended against today.

[icedchai]

Yep. I get real tired of adding a month and year to the same base password every time I need to rotate it.

[kstrauser]

On week one of my current job, I turned that off for the whole company. Here's the citation you can give your security department to show them why they're doing it wrong.

NIST Special Publication 800-63B, the July 2025 version, section 3.1.1.2, says:

"Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised."

The previous version from June 2017, section 5.1.1.2, says:

"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

So 9 years ago, NIST said to stop requiring that. Last year, they clarified that to say, no, really, freaking stop it. Any company still making people do that today is 9 years out of date, and 1 year out of compliance.