The NIST password guidelines do not recommend periodic resets. Does the recommendation stand if there is no policy enforcing a minimum password length?
Is it considered a NIST best practice for a user to go five years without changing a password?
-
NIST password guidelines
-
@Donald-Muncy , I hope all is well. The recent update to the NIST password standards (SP) 800-63-3 is all about simplifying password management for users by leaving out overly complex security requirements.
What are the NIST password requirements?
Set an 8-character minimum length.
Change passwords only if there is evidence of compromise.
Screen new passwords against a list of known compromised passwords.
Skip password hints and knowledge-based security questions.
Limit the number of failed authentication attempts.What are the NIST password recommendations?
Set the maximum password length to at least 64 characters.
Skip character composition rules as they are an unnecessary burden for end-users.
Allow copy and paste functionality in password fields to facilitate the use of password managers.
Allow the use of all printable ASCII characters as well as all UNICODE characters (including emojis).The idea is that if you are using the totality of the requirements list, then you should/would be implementing policy as part of the approach, as these would be driven via policy.
If an organization is not using policy to drive security practice, there are broader issues that have to be addressed vis-a-vis the risk posture of that organization.
It is not about how long the password may go unchanged; it is about the protective ecosystem taht surrounds the use and management of that password over its lifecycle.
Cheers,
Adam