[Servercert-wg] Routine password changes

Tim Hollebeek tim.hollebeek at digicert.com
Thu Jan 30 16:11:14 MST 2020


For those who are ignoring this because it's a SHOULD: On April 1, it
changes to a SHALL.

 

-Tim

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Tim
Hollebeek via Servercert-wg
Sent: Thursday, January 30, 2020 2:32 PM
To: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org>
Subject: [Servercert-wg] Routine password changes

 

 

Just a reminder that effective April 1, 2020, the new rules about routine
password changes go into effect (SC3).  CAs should examine their password
policies, and make sure they are not requiring password changes more often
than every two years.

 

This does not apply to non-routine password changes.  If a password is
compromised, or needs to be changed for any other reason, it can be changed,
regardless of its age.  As the requirements state, "If the CA has any policy
that specifies routine periodic password changes, that period SHOULD NOT be
less than two years."

 

This is to prevent users from selecting passwords like "Spring2020!" or
"Pass4/20", where half of the password is easily guessable due to attempts
by users to cope with overly frequent password changes.

 

-Tim

 

P.S. Compromising all your passwords every 90 days is not a reasonable way
of complying with both this requirement and other schemes that require
periodic changes :P  Figure something else out.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200130/12bd2e4f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200130/12bd2e4f/attachment-0001.p7s>


More information about the Servercert-wg mailing list