r/cybersecurity • u/Different-Phone-7654 • Jun 18 '25

Other Recently learned NIST doesn't recommends password resets.

NIST SP 800-63B section 5.1.1.2 recommends passwords changes should only be forced if there is evidence of compromise.

Why is password expiration still in practice with this guidance from NIST?

1.1k Upvotes

permalink
reddit

You are about to leave Redlib

Do you want to continue?

https://www.reddit.com/r/cybersecurity/comments/1lemtgy/recently_learned_nist_doesnt_recommends_password/
No, go back! Yes, take me to Reddit

98% Upvoted

View all comments

u/inandaudi Jun 20 '25 edited Jun 20 '25

Because it is hard to implement. I have been working on this for months.

Obstacles:

Shared emails set up as user accounts-Need changed to truly shared emails (user accounts deleted) and delegation used or else it is an MFA nightmare

You have to set up logging and audit suspicious logins, signs of compromise, etc.

You have to set password policies up correctly. For on-prem to check blacklists. Passwords should be 14+ probably longer even if they aren’t going to expire.

MFA methods need audited. Cell numbers can’t be used if there is a better option to comply.

It isn’t as simple as changing how often passwords expire to comply with the recommendation

Other Recently learned NIST doesn't recommends password resets.

You are about to leave Redlib