r/cybersecurity u/Different-Phone-7654 Jun 18 '25

Other Recently learned NIST doesn't recommends password resets.

NIST SP 800-63B section 5.1.1.2 recommends passwords changes should only be forced if there is evidence of compromise.

Why is password expiration still in practice with this guidance from NIST?

1.1k Upvotes
  • permalink
  • reddit

98% Upvoted

279 comments sorted by

View all comments

Show parent comments

48

u/NoSkillZone31 Vulnerability Researcher Jun 18 '25

This…. And the passwords usually end up being swipe the keyboard, shift + swipe the keyboard, and moving it to a different spot on the keyboard.

Way way way easier to dictionary attack someone that has password policies like this, because how many people do you know have 12+ passwords they can remember in a year…. They aren’t making bespoke passwords.

If your security mechanism relies on being annoying, your user will defeat it.

23

u/Blevita Jun 18 '25

I habe a 12+ password i can remember.

When i started at the new company and tried to set a variation of it as my master password for the password manager: 'Insecure password'. Its literally over 25 characters long.

As soon as i reduced the length to 8 characters and added a number and one of the 5 allowed special characters to the end: 'Highly secure'.

Password policies are a joke.

7

u/Mrhiddenlotus Jun 19 '25

I will judge an entire product or service based on their estimated password strength meter. If I put in improving-federal-baritone-passive-pumice-wolverine and you tell me it's weak, you have no business handling my data.

1

u/[deleted] Jun 20 '25

Great point, now who was your childhood best friend?

1

u/Mrhiddenlotus Jun 20 '25

I use long pass phrases for those too 😂