On Mon, Dec 6, 2021 at 8:59 AM Kurt Seifried <k...@seifried.org> wrote: > > I think it's not an OBSOLETE issue, it's an active change in policy due to > further research and knowledge. > > A great parallel is "3DES is good. USE 3DES!" which was a GREAT policy in > 1998. It has since been retired and its use has been banned by NIST after > 2023 > (https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA). > > Why is the password aging issue any different? In fact, it's pretty much > identical, NIST said this was a good idea, further research/technology > movement happened and we learned it was a bad idea. So bad in fact it should > probably be banned. > > Also, the ONE positive aspect of rotating passwords, which is an attacker > gets a password, uses it, and this effectively locks them out, means your > controls are so weak that: > > 1) you can't detect an attacker in the system and you basically have to hope > they get locked out after 30/60/90/whatever days because of password rotation > 2) your users are choosing bad passwords and/or exposing them somehow > (phishing?) which means your access controls are basically doomed to fail at > some point anyways > > and password rotation effectively covers this up and prevents real movement > forwards.