The previous version of NIST SP 800-63B, section 5.1.1.2, said that organizations SHOULD NOT require users to update their passwords on a regular basis, unless they believe that the password was compromised. The 2025-05-30 version moved that to section 3.1.1.2 and updated it to say organizations SHALL NOT do that.
Now whenever a website emails me to say I have to update my password because it’s been a month or two since I last did it, I report a security bug to them:
The website has a security flaw: it makes users rotate their passwords periodically. This is against the security controls in NIST Special Publication 800-63B-4, “Digital Identity Guidelines”, section 3.1.1.2, clause 6, which reads:
“6. Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.”
Please fix the website to remove this requirement. Thank you.
If we all do this, maybe it’ll get into their heads that it’s a bad idea to make users change their passwords just for the sake of it.