This practice is not recommended anymore, yet still found in many enterprises.

    • jj4211@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      4 months ago

      Nist guidelines used to recommend rotation, and our security team would quickly point to it when people complained.

      So of course we jumped on that and security team said “well nist are just guidelines and we go for more stringent requirements”…

    • DeviantOvary@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      I would need to check (not in charge of it), but I do remember in the fat stack of guidelines we got there was the password policy of 90 days. However, the point still stands that some people have no digital hygiene and will write down and share their passwords in plain text for all to see even if we didn’t enforce password expiry. Though in all honesty, there’s no winning combination when so many don’t truly give a shit about digital security. As long as they can flaunt a certificate.