I made the mistake of telling people on Reddit that not having regular password expiry is bad. The reaction is amazing.

Hear me out...if people reuse passwords, and one sure gets popped...they all got popped.

Also, no one mentions disabling expiry with any other recommendations, like MFA. My fear is that all the people who see one piece of the recommendations and run with just that, without considering all the other pieces.

Security is like onions...

@jjbaumgartner yeah I’ll just add another protocol where we disagree. There’s no need to slice and dice and imagine that things unsaid are implied in the worst possible way. Even NIST recanted it’s recommendation to change passwords for government and enterprises. Do some research on it. It was never founded in anything. Someone just sorta made it up and it stuck. There is not a lot of justification for it.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.