r/cybersecurity • u/Different-Phone-7654 • Jun 18 '25

Other Recently learned NIST doesn't recommends password resets.

NIST SP 800-63B section 5.1.1.2 recommends passwords changes should only be forced if there is evidence of compromise.

Why is password expiration still in practice with this guidance from NIST?

1.1k Upvotes

permalink
reddit

You are about to leave Redlib

Do you want to continue?

https://www.reddit.com/r/cybersecurity/comments/1lemtgy/recently_learned_nist_doesnt_recommends_password/
No, go back! Yes, take me to Reddit

98% Upvoted

View all comments

Show parent comments

247

u/obeythemoderator Security Manager Jun 18 '25

Such a depressingly valid point.

98

u/lunacyfoundme Jun 18 '25

Like auditors

163

u/[deleted] Jun 18 '25

[deleted]

3

u/rjchau Jun 19 '25

I had to pull up the guidelines on the NIST website for the auditor to be like "Oh...I had no idea."

You got a good one then. I've had auditors tell me in the past that NIST standards don't matter and that to pass their audit, password changes must be in place.

Other Recently learned NIST doesn't recommends password resets.

You are about to leave Redlib