Comment by MBCook
3 days ago
I’ve been told PCI does as well, though I don’t know if that’s really still true.
Edit: jjav beat me to it below, confirming it is.
3 days ago
I’ve been told PCI does as well, though I don’t know if that’s really still true.
Edit: jjav beat me to it below, confirming it is.
PCI DSS 4.0 does not require password rotation unless the password is the only authentication (i.e. no MFA).
Use MFA, and you don't need to rotate.
>Clarified that this requirement applies if passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation).
>Added the option to determine access to resources automatically by dynamically analyzing the security posture of accounts, instead of changing passwords/passphrases at least once every 90 days.