You're viewing a single thread.
6
comments
The NIST recommends against a forced password rotation https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/nists-new-password-rule-book-updated-guidelines-offer-benefits-and-risk
It's bizarre how despite these recommendations I've had multiple workplaces that change passwords monthly. Add stringent complexity requirements, and you get sticky notes everywhere with full logon details.
A sign in button would be about the same level of security.
Take the sign in button and put it on the user's phone that requires biometrics/PIN and you've probably got a pretty darn secure system.
Risk management > blind security rules. The latter is security theatre.
You've viewed 6 comments.