Org Policies - Master password expiration/rotation of master passwords

Feature Request - Policy - Master Password Expirations for users. We would like to enforce users to change/update their master passwords on a regular basis based on age. (ie every x days/months/years)

2 Likes

Would be a nice feature to have

This is in direct contradiction to best practices recommended by NIST for passwords that have to be memorized (“memorized secrets”):

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

The most recent draft revision is even stronger on this point:

Verifiers SHALL NOT require users to periodically change memorized secrets.