Summary
NIST(National Institute of Standards and Technology) の部門CSD(Computer Security Division) が発行するSpecial Publication 800-63B Digital Authentication Guideline の
5.1.1.2 Memorized Secret Verifiers についての話題。
「システムはパスワードの定期的な変更をユーザーに要求すべきではない」の原文はこのあたり。
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) unless there is evidence of compromise of the authenticator or a subscriber requests a change.
「秘密の質問を使用するべきではない」の原文はこのあたり。
Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers also SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.
Reference
DRAFT NIST Special Publication 800-63B Digital Authentication Guidelinehttps://pages.nist.gov/800-63-3/sp800-63b.html
via
やじうまWatch - 2016-06-27 - 「パスワードの定期変更をユーザーに求めるべきではない」……NISTの文書でついに明示へhttp://internet.watch.impress.co.jp/docs/yajiuma/1007177.html