<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Key Rotation on Brave New Geek</title><link>https://bravenewgeek.com/tag/key-rotation/</link><description>Recent content in Key Rotation on Brave New Geek</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Fri, 11 Oct 2019 12:02:11 -0500</lastBuildDate><atom:link href="https://bravenewgeek.com/tag/key-rotation/index.xml" rel="self" type="application/rss+xml"/><item><title>Security by Happenstance</title><link>https://bravenewgeek.com/security-by-happenstance/</link><pubDate>Tue, 26 Mar 2019 11:25:14 -0500</pubDate><guid>https://bravenewgeek.com/security-by-happenstance/</guid><description>&lt;h4 id="key-rotation-auditing-and-securecicd"&gt;Key rotation, auditing, and secure CI/CD&lt;/h4&gt;
&lt;p&gt;Companies often require employees to regularly change their passwords for security purposes. &lt;a href="https://www.pcisecuritystandards.org/document_library?category=pcidss&amp;amp;document=pci_dss"&gt;PCI compliance&lt;/a&gt;, for example, requires that passwords be changed every 90 days. However, NIST, whose guidelines commonly become the foundation for security best practices across countless organizations, &lt;a href="https://www.passwordping.com/surprising-new-password-guidelines-nist/"&gt;recently revised&lt;/a&gt; its recommendations around password security. Its Digital Identity Guidelines (&lt;a href="https://pages.nist.gov/800-63-3/sp800-63b.html"&gt;NIST 800-63-3&lt;/a&gt;) now recommends &lt;em&gt;removing&lt;/em&gt; periodic password-change requirements due to a growing body of research suggesting that frequent password changes actually &lt;a href="https://arstechnica.com/information-technology/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/"&gt;makes security &lt;em&gt;worse&lt;/em&gt;&lt;/a&gt;. This is because these requirements encourage the use of passwords which are more susceptible to cracking (e.g. incrementing a number or altering a single character) or result in people writing their passwords down.&lt;/p&gt;</description></item></channel></rss>