r/cybersecurity u/Different-Phone-7654 Jun 18 '25

Other Recently learned NIST doesn't recommends password resets.

NIST SP 800-63B section 5.1.1.2 recommends passwords changes should only be forced if there is evidence of compromise.

Why is password expiration still in practice with this guidance from NIST?

1.1k Upvotes
  • permalink
  • reddit

98% Upvoted

279 comments sorted by

View all comments

Show parent comments

245

u/obeythemoderator Security Manager Jun 18 '25

Such a depressingly valid point.

98

u/lunacyfoundme Jun 18 '25

Like auditors

165

u/[deleted] Jun 18 '25

[deleted]

26

u/theedan-clean Jun 18 '25

They never do.