Our staff is always scanning the horizon for great Cybersecurity content to share. Today, we spotted this great article on dropping your password expiration policy on lifehacker.
Most companies require all passwords to reset 30, 60, or 90 days. Most users are familiar with the drill – Are you grunting now? The article suggests that password expiration is an ancient practice that pays few dividends. I can hear the debate now! Also the NIST 800-63-3: Digital Identity Guidelines has been updated. Guess what? They removed the periodic password change requirements. Here is what NIST had to say about this in a recent FAQ document.
So..what are you gonna do?
Lets face it, everything comes down to your organization’s cybersecurity risk and controls posture. Some might be in a good position to discard password expiration because they have other controls in place to mitigate the risk. Others, might not be mature enough to remove this control. At the end of the day, it comes down to doing what is best for your organization.
What are your thoughts on discarding the password expiration policy?