|
On week one of my current job, I turned that off for the whole company. Here's the citation you can give your security department to show them why they're doing it wrong. NIST Special Publication 800-63B, the July 2025 version, section 3.1.1.2, says: "Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised." The previous version from June 2017, section 5.1.1.2, says: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." So 9 years ago, NIST said to stop requiring that. Last year, they clarified that to say, no, really, freaking stop it. Any company still making people do that today is 9 years out of date, and 1 year out of compliance. |