Enforced rotation of passwords on a schedule is no longer recommend, and is advised against. Mandatory immediate expiration/rotation of all credentials that have been (or are suspected to have been) somehow exposed is a requirement of all security protocols. And there is nothing wrong with a user voluntarily rotating their credentials, that does not reduce security (as long as they don't do something silly like use less secure passwords in the interest of making them more memorable).
No comments yet.