undefined | Better HN

0 pointstwisteriffic2y ago0 comments

Correct! NIST recommends against forcing password expiry unless the password is known to be compromised.

https://pages.nist.gov/800-63-FAQ/#q-b05

0 comments

Thankfully all of my users are extreme statistical aberrations who do not re-use the same memorized password (or a variation on it) for more than one thing, ever, at all OR they diligently watch every single possible place they have ever re-used any of their memorized passwords, with the globally mandated and complied with reporting, so they can know if a password they once re-used at grandmas-cookies.blog.example.com has been compromised.

The fact that all websites, servers, systems (etc.) check to see if passwords are known to be compromised (since NIST says verifiers will do that) makes things a lot easier, too.

j / k navigate · click thread line to collapse

0 pointstwisteriffic2y ago0 comments

Correct! NIST recommends against forcing password expiry unless the password is known to be compromised.

https://pages.nist.gov/800-63-FAQ/#q-b05

0 comments

ronabop2y ago

The fact that all websites, servers, systems (etc.) check to see if passwords are known to be compromised (since NIST says verifiers will do that) makes things a lot easier, too.

j / k navigate · click thread line to collapse