#71 Password Aging no longer recommended
Opened 4 months ago by felher. Modified 4 months ago

Hey all,

the system administrators guide contains the sentence

For security reasons, it is advisable to require users to change their passwords periodically.

here: https://docs.fedoraproject.org/en-US/fedora/f35/system-administrators-guide/basic-system-configuration/Managing_Users_and_Groups/#s2-users-tools-password-aging

I wanted to suggest to you that it might be a good idea to change this sentence, maybe to something simple like "If you want to require users to change their passwords periodically, read on".

Changing passwords regularly was recommended by security experts and government organizations some time ago, but I think most of them have reconsidered their stance. For example, NIST (which used to recommend it), has now changed its position:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
( https://pages.nist.gov/800-63-3/sp800-63b.html )

The same goes for the German counterpart, the BSI - used to recommend it, doesn't do it anymore.

I expect other agencies have followed, but this are the two I'm certain of.

Kind regards,
Felix


Login to comment on this ticket.

Metadata