Administered by:
Security "experts" don't want to hear this: But forcing people to log in more often does, in fact, increase the likelihood that:
- Someone will shouldersurf your password
- People will find shortcuts to make logging in more convenient
- People will chose passwords that are least annoying to them irrespective to how secure it is
- Phishing attacks are more successful
@MichalBryxi the ones forcing you to login so often are the same ones insisting the 8 characters is long enough and that they should be reset every 90 days
@mensrea @MichalBryxi periodic password changes are advised against by NIST.
In case you want to use to stop people doing that NIST SP 800-63B which is the Authentication and Lifecycle Management section of their Digital Identity Guidelines says in 5.1.1.2
“Verifiers SHALL NOT require users to periodically change memorized secrets”.
@aimaz yup. having this fight with the sage 300 vendor at work via HR but so far it's not sticking. it's a very quick way to make people set very bad passwords @MichalBryxi
@aimaz never mind. just spent some time reading sage documentation, password expiry is a hard requirement of the system. but the good news is, as of last year the UI no longer uppercases passwords before submission @MichalBryxi