NIST used to tell orgs to require password rotation. Some years ago they changed their recommendation with an explanation that it adds not security benefits while it encourages users to write down or use shittier passwords.
Yes, as I said, that is with the assumption if people do not use password manager and get lazy. Then I can see this argument being true. But with such long and complicated random passwords on many different services (like I do), it’s expected to use password managers and only remember a single password. Therefore this is the preferred method over bad passwords, which are not changed frequently, as the NIST recommends. I do not agree with that.
NIST used to tell orgs to require password rotation. Some years ago they changed their recommendation with an explanation that it adds not security benefits while it encourages users to write down or use shittier passwords.
Yes, as I said, that is with the assumption if people do not use password manager and get lazy. Then I can see this argument being true. But with such long and complicated random passwords on many different services (like I do), it’s expected to use password managers and only remember a single password. Therefore this is the preferred method over bad passwords, which are not changed frequently, as the NIST recommends. I do not agree with that.