NIST removed password expiration from their recommendations in 2020. Instead they recommend only forcing password changes when compromise is suspected.
The main argument is that they do not make users or systems demonstrably safer and encourage bad password habits.
I would imagine most users change their password by only 1 character, and maybe even in sequential order.
When time comes to change the password, it becomes password1234 instead of password123. Or password234. Something easy to remember, most users don’t care about best security practices, and changing to a similar password is very convenient. Especially if it’s “only” for work stuff
Oh really? How come?
NIST removed password expiration from their recommendations in 2020. Instead they recommend only forcing password changes when compromise is suspected.
The main argument is that they do not make users or systems demonstrably safer and encourage bad password habits.
I would imagine most users change their password by only 1 character, and maybe even in sequential order.
When time comes to change the password, it becomes password1234 instead of password123. Or password234. Something easy to remember, most users don’t care about best security practices, and changing to a similar password is very convenient. Especially if it’s “only” for work stuff