Phasing out Password rotating requirement
The following requirement I believe will eventually be less common as companies are moving away from rotating passwords and might need to be inclusive of all methods going forward as password rotating will probably be slowly phased out.
ID: 1031.01d1System.34510 “The organization changes passwords for default system accounts, at first logon following the issuance of a secure temporary password, when there is a suspected compromise, and no less than every 90 days for regular accounts or 60 days for privileged (i.e., administrator accounts).”
It has been discussed for years now that rotating passwords leaves individuals more prone to have to write their passwords down or ask for more password resets. With MFA and more complex passwords being required the risk associated with rotating passwords has exceeded keeping a password that has never been compromised. NIST Special Publication 800-63B mentions "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. " Also it has been publicized that Microsoft no longer recommends passwords being changed periodically.
James Whitfield
shared this idea
Great suggestion. This is addressed in v9.4 of the CSF and will continue to be reflected in future CSF versions.
-
Thanks for the feedback James. I've forwarded this idea to HITRUST's Standards team for consideration.