Expiring password notification
Cantor, Scott
cantor.2 at osu.edu
Fri Oct 20 13:03:45 EDT 2017
When he said "wise", I'm pretty sure he was alluding to the irony of them finally deciding to do this just when the people who told people to do it admitted they were completely wrong. The irony of course is that the people who believed it can now point to "well, what does NIST know?" as evidence not to listen to NIST when NIST says they were wrong.
-- Scott
On 10/20/17, 5:33 AM, "users on behalf of Rod Widdowson" <users-bounces at shibboleth.net on behalf of rdw at steadingsoftware.com> wrote:
> our wise
> board of regents has decided that we will soon be arbitrarily expiring
> passwords every 6 months.
I'm sure it won't help you, but from NIST (who might know what they are talking about)
"Digital Identity Guidelines", published June 2017
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
> Do not require that memorized secrets be changed arbitrarily
> (e.g., periodically) unless there is a user request or evidence of
> authenticator compromise.
And yes I'm cherry picking...
R
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list