Phase out password rotation
I'm re-upping the Declined idea of phasing out password rotation. It's a bad requirement.
The following requirement I believe will eventually be less common as companies are moving away from rotating passwords and might need to be inclusive of all methods going forward as password rotating will probably be slowly phased out.
ID: 1031.01d1System.34510 “The organization changes passwords for default system accounts, at first logon following the issuance of a secure temporary password, when there is a suspected compromise, and no less than every 90 days for regular accounts or 60 days for privileged (i.e., administrator accounts).”
It has been discussed for years now that rotating passwords leaves individuals more prone to have to write their passwords down or ask for more password resets. With MFA and more complex passwords being required the risk associated with rotating passwords has exceeded keeping a password that has never been compromised. NIST Special Publication 800-63B mentions "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. " Also it has been publicized that Microsoft no longer recommends passwords being changed periodically.
Karl Mueller
shared this idea
Implemented with latest CSF v9.4 update
-
sarah.phillips
commented
Thank you for the suggestion. The language regarding password rotation was updated with version v9.2 of the CSF.
1031.01d1System.34510: The organization changes passwords for default system accounts, whenever there is any indication of password compromise, at first logon following the issuance of a temporary password, and requires immediate selection of a new password upon account recovery.
I hope this resolves your concern; however, please feel free to reach out to our Support team with any further questions.