NIST proposes barring some of the most nonsensical password rules
Proposed guidelines aim to inject badly needed common sense into password hygiene.
Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
@corlin Yeah, the conventional wisdom has always been complete shite. I recognized that a bunch of years ago, when I was setting 90-day expiration and minimum complexity password on local AD domains by 'best practice'. It actually made things less secure. I could usually find almost all the users' new passwords written down in one of about 5 places.
Yep.
At my last job as an armed and unarmed security guard. We had to change our passwords every 60 days, with all kinds of these stupid rules.
I asked the IT Dept. what was the most used passwords he said: Some weird variant of "tthis Damn328$)ITdeptsucks."