Comment by MBCook

Comment by MBCook 5 days ago

1 reply

I’ve been told PCI does as well, though I don’t know if that’s really still true.

Edit: jjav beat me to it below, confirming it is.

qualeed 4 days ago

PCI DSS 4.0 does not require password rotation unless the password is the only authentication (i.e. no MFA).

Use MFA, and you don't need to rotate.

>Clarified that this requirement applies if passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation).

>Added the option to determine access to resources automatically by dynamically analyzing the security posture of accounts, instead of changing passwords/passphrases at least once every 90 days.