Martin FowlerDec 7, 2022
Me /tries to do a quick something
site: enter your password
Me: fine
site: enter your one-time code
Me: already? but fine
site: your password will expire in 6 days. Change it now
Me: 🤬
Show threadMartin FowlerDec 7, 2022

And just to make it clear. "Regular password changing harms rather than improves security."

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry

Password policy: updating your approach

Advice for system owners responsible for determining password policies and identity management within their organisations.

Show threadDave W SmithDec 7, 2022
@mfowler Also https://pages.nist.gov/800-63-FAQ/#q-b05
NIST SP 800-63 Digital Identity Guidelines-FAQ

NIST Special Publication 800-63 Digital Identity Guidelines-FAQ

Show threadEric Galis
@dws @mfowler I truly believe people have summarized it as above, but not considered that in order to fully disband this control, you need much better detection of and response to indicators of account compromise than many have. Is it better to not require password changes? A resounding YES - if you are really good at disabling compromised accounts.
Dec 7, 2022 at 6:59pmWeb
Show threadGeoff WinklessDec 7, 2022
@ericgalis @dws @mfowler if an account is compromised changing the password will almost never fix the compromise.
Show threadEric GalisDec 7, 2022
@Geoff @dws @mfowler the most common ways an account is compromised is through password reuse or phishing, so if you identify that pattern on first login, you can prevent a lot of bad stuff from happening. Password reset times nowadays are just dwell time reducers. I agree, not particularly effective.