Feature Request - Policy - Master Password Expirations for users. We would like to enforce users to change/update their master passwords on a regular basis based on age. (ie every x days/months/years)
Would be a nice feature to have
This is in direct contradiction to best practices recommended by NIST for passwords that have to be memorized (“memorized secrets”):
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
The most recent draft revision is even stronger on this point:
Verifiers SHALL NOT require users to periodically change memorized secrets.
As a company we want every user to renew the masterpassword every x month.
There is no setting available yet.
Uughh. Why, if you don’t mind me asking? Personally, I feel like these sorts of policies undermine the protections offered by password managers rather than enhance them, although I do realize there are exceptions.
Yeah, this is against current best practice. If you ask your staff to come up with a strong, memorable password, then make them change it every month/every quarter/etc., they are either going to (a) write it down or (b) just change one digit at the end of the password. There’s no additional security, just inconvenience for your users. Only enforce a password change if there’s a suspicion that a password has been compromised.
If you are still a fan of this “change your password”-idea, please take a look at this:
Nist.gov:
“Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”
Source: https://pages.nist.gov/800-63-3/sp800-63b.html#sec10, see below 10.2.1 under Memorized Secrets
Because of your name I assume that you speak some German.
Therefore you also might want to take a look at this article:
And finally a personal note:
Whenever I was forced to change my password on a regular basis both me and everyone who told me about this just added a counter or date to the “regular” password.
@Egbert @dh024 @danmullen @Peter_H I merged your posts with this feature request to the same topic.
Whenever I was forced to change my password on a regular basis both me and everyone who told me about this just added a counter or date to the “regular” password.
I worked at a company that ran a background password-cracking process on all employees passwords and if one was cracked in addition to notifying the employee and requiring immediate password change, added it to the dictionary and after this is it was no longer possible to “just add a number” to it.
It was introduced like 5 years ago along with removing the requirement to regularly update the passwords.