At my work we signed a deal with one of the big three credit reporting agencies that had a well publicized security breach a little while back.
As part of this, they sent us some security due diligence questions, which is fairly routine. One of the things that they wanted us to agree was that we forced all of our employees to change their passwords every $timeperiod.
They insisted that this was important for security, and only backed off after we sent them references from all of microsoft[0], nist[1] and the uk national cyber security centre[2] saying that doing so would reduce security.
My suspicion though is that they only removed it from our specific contract, and they hadn't changed the entire process. I would have hoped that after their security breach (this happened afterwards) they would have reviewed their security and improved it but unfortunately that didn't seem to be the case. There were a fair few other things in the review that were generally poor security wise, but that one is the one that stood out to me.
I protested this exact thing at $workplace last year, but they said that the NIST recommendation was "only a draft", and that the NZ government security services hasn't yet updated their recommendation. So here we are, incrementing a number every couple of months to keep the robots happy.
One of our vendors started requiring a monthly password change. Now, you can walk through the office and see half a dozen passwords on Post-It notes in plain view. I explained this to them, and received a response that seemed to think I was asking what a password was for.
As part of this, they sent us some security due diligence questions, which is fairly routine. One of the things that they wanted us to agree was that we forced all of our employees to change their passwords every $timeperiod.
They insisted that this was important for security, and only backed off after we sent them references from all of microsoft[0], nist[1] and the uk national cyber security centre[2] saying that doing so would reduce security.
My suspicion though is that they only removed it from our specific contract, and they hadn't changed the entire process. I would have hoped that after their security breach (this happened afterwards) they would have reviewed their security and improved it but unfortunately that didn't seem to be the case. There were a fair few other things in the review that were generally poor security wise, but that one is the one that stood out to me.
[0] can't find the reference I probably used, but this talks about it https://arstechnica.com/information-technology/2019/06/micro... (I think microsoft was one of the links we sent them?)
[1] https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver
[2] https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-p...