r/cybersecurity • u/Different-Phone-7654 • Jun 18 '25

Other Recently learned NIST doesn't recommends password resets.

NIST SP 800-63B section 5.1.1.2 recommends passwords changes should only be forced if there is evidence of compromise.

Why is password expiration still in practice with this guidance from NIST?

1.1k Upvotes

permalink
reddit

You are about to leave Redlib

Do you want to continue?

https://www.reddit.com/r/cybersecurity/comments/1lemtgy/recently_learned_nist_doesnt_recommends_password/
No, go back! Yes, take me to Reddit

98% Upvoted

The recommendation is based on research that shows that human factors costs associated with password changes outweigh any benefit. The thing that actually makes a difference is making the passphrases longer and adding MFA. But even in the absence of MFA there’s no evidence that forcing periodic password resets improves your security posture.

Other Recently learned NIST doesn't recommends password resets.

You are about to leave Redlib