This practice is not recommended anymore, yet still found in many enterprises.

  • cron@feddit.orgOP
    link
    fedilink
    arrow-up
    21
    ·
    4 months ago

    The most prominent source is NIST, which states:

    Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (source)

    I found an explanation on a different site:

    It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).