On Fri, Dec 3, 2021 at 1:17 PM Kurt Seifried <k...@seifried.org> wrote: > > > Not Using Password Aging - (262) > https://cwe.mitre.org/data/definitions/262.html > > Password Aging with Long Expiration - (263) > https://cwe.mitre.org/data/definitions/263.html > > REFERENCES needs updating with: > > https://pages.nist.gov/800-63-3/sp800-63b.html
+1. You never throw away a good secret based on [misguided] policy. >From Security UX studies, we know each time a user is required to come up with a new password, the new password gets weaker and weaker until it approaches a minimum. Here's a better reference. Peter Gutmann stated this long before NIST, and he even cited the Security UX studies: https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf Jeff