> This is true, PCI DSS still requires password expiry.
We’ve been using a compensating control of “our password policy is exactly NIST SP 800-63B (2017) plus two more characters in Min length” for our PCI audits since the revision was published in 2017.
Yes. When a policy is crazy, the Right Thing is to find out how to either alter that policy or obtain an authorised deviation from it as tatersolid describes.
If you spend an hour a month on something that's required by policy and in your opinion shouldn't be, then six hours invested finding the person who sets that policy and explaining why it's a terrible idea may free up net six extra hours of your life within a year.
That story where the guy comes down a mountain with a stone tablet with Ten Commandments carved into it is (a) a myth and (b) no kind of a way to set effective policy. People can't even agree on what his Ten Commandments were, let alone on following them.
Using NIST password guidelines as a compensating control has been accepted by every assessor I’ve dealt with (even the really bad ones). A compensating control must exceed the requirements of the control its compensating for, and the NIST rules clearly do. I’d say it has much more to do with how you write your compensating control worksheet rather than anything else. If you assessor is refusing to accept compensating controls, you should report them to the SSC, and then find a new assessor.
Do you happen to have a library/tool you could recommend that helps with this or did you develop something in-house?
My startup is implementing most of the NIST rec’s with the help of projects like zxcvbn but we would like to also start doing breach list comparisons so figured I’d ask.
The ISO 27xxx standards in Information Security don't tell you how to do it, they tell you how to formalise what you decided to do (and how it can be monitored, audited, etc.). So the reason your ISO compliance forces you to do password rotation is that some twit added "password rotation" to the policies you decided you were going to implement. New task: Find the relevant policy and revise it citing the modern NIST guidance. Extra credit: Go through other policies that get in your way, figure out why they're in there and either you'll be reconciled to this annoyance in your life or you can revise the policy to not be a problem.
I would love to know my companies reasoning. I work for a huge health care provider and everyone from care workers to the nurses in our office have to change our passwords each 6 weeks. Myself and others just keep the same passwords and increase the number at the end. Currently we keep getting these emails from IT telling us security threat level is high and don’t click links from unknown locations. The system is buggy to add to is all so people are constantly getting locked out and they call IT who helps change to another password. After having to do it so often so many times most of us just don’t care anymore. My password is kind of complex and in the middle I have a number that I just increase each time.
If that’s actually true, then most companies hands are tied until those payment agencies update their requirements.