Expiring password notification

mat houser mhouser at uwm.edu
Fri Oct 20 13:24:42 EDT 2017

Yes indeed. Multiple IAM and InfoSec people have objected to this policy,
in no small part due to the current NIST recommendations.

Yet they have persisted. I'm not sure if this is isolated to our fine
institution, but it seems the prevailing approach is to check off boxes
for compliance's sake rather than to adopt best practices.

Also, thanks Scott for your response. I don't currently have a
functional understanding of Spring and the appropriate low-level
components, but at least now I know what I need to learn about.


mhouser at uwm.edu

On Fri, 20 Oct 2017, Cantor, Scott wrote:

When he said "wise", I'm pretty sure he was alluding to the irony of them finally deciding to do this just when the people who told people to do it admitted they were completely wrong. The irony of course is that the people who believed it can now point to "well, what does NIST know?" as evidence not to listen to NIST when NIST says they were wrong.

-- Scott

On 10/20/17, 5:33 AM, "users on behalf of Rod Widdowson" <users-bounces at shibboleth.net on behalf of rdw at steadingsoftware.com> wrote:

> our wise
> board of regents has decided that we will soon be arbitrarily expiring
> passwords every 6 months.

I'm sure it won't help you, but from NIST (who might know what they are talking about)

"Digital Identity Guidelines", published June 2017

> Do not require that memorized secrets be changed arbitrarily 
> (e.g., periodically) unless there is a user request or evidence of
>  authenticator compromise. 

And yes I'm cherry picking...


More information about the users mailing list