Summary

NIST(National Institute of Standards and Technology) の部門CSD(Computer Security Division) が発行する
Special Publication 800-63B Digital Authentication Guideline の
5.1.1.2 Memorized Secret Verifiers についての話題。

「システムはパスワードの定期的な変更をユーザーに要求すべきではない」の原文はこのあたり。

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) unless there is evidence of compromise of the authenticator or a subscriber requests a change.

「秘密の質問を使用するべきではない」の原文はこのあたり。

Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers also SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.

Reference

DRAFT NIST Special Publication 800-63B Digital Authentication Guideline
https://pages.nist.gov/800-63-3/sp800-63b.html

via

やじうまWatch - 2016-06-27 - 「パスワードの定期変更をユーザーに求めるべきではない」……NISTの文書でついに明示へ
http://internet.watch.impress.co.jp/docs/yajiuma/1007177.html