“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.
Well, there’s the problem. Why are people using memorized passwords? And why are they picking passwords that could be easily guessed?
Literally, the only password that one should memorize is for their password manager that has strong 2FA enabled.
This recommendation seems to cater to users who already have poor security habits, rather than offering best practices. That’s my opinion, anyway.
On mobile so forgive any formatting, but the text below is quoted from the NIST faq. https://pages.nist.gov/800-63-FAQ/#q-b03
Q-B05:
Is password expiration no longer recommended?
A-B05:
SP 800-63B Section 5.1.1.2 paragraph 9 states:
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
Well, there’s the problem. Why are people using memorized passwords? And why are they picking passwords that could be easily guessed?
Literally, the only password that one should memorize is for their password manager that has strong 2FA enabled.
This recommendation seems to cater to users who already have poor security habits, rather than offering best practices. That’s my opinion, anyway.
edit: spelling