Microsoft says mandatory password changing is “ancient and obsolete”:

arstechnica.com/information-te

And annoying too. And does very little to improve security.

We just need to get PCI to stop forcing that and everyone will be more better off.

@dcid

I have never understood the PCI-DSS requirements to force users to change the password often.
Users just ended up with simplep@assword123
and the next password:
simplep@assword1234

and so on lol

Follow

@dcid @selea too bad they don't take advantage of the work NIST did in 800-63B (Digital Identity Guidelines) in which they actually tackle the problem of passwords, and adapt it to more realistic recommendations... (i.e., doing away with rotations for one)

@tony

I am pretty sure that they will do it in the next release. It has not changed for a couple of years so it is due,
@dcid

Sign in to participate in the conversation
Noc.Social

Open Source Social Network. Focused on technology, networking, linux, privacy and security, but open to anyone. Civil discourse, polite and open. Managed by the noc.org team.