Conversation

Notices

1. Embed this notice
   HTTP 1.1/418 Resistance Teapot (rmd1023@infosec.exchange)'s status on Tuesday, 23-Jan-2024 19:53:32 JST HTTP 1.1/418 Resistance Teapot

   Once again, an unnecessary periodic password change from Epic's "MyChart" and once again I want to print out a copy of the part of NIST Special Publication 800-63B saying that periodic password changes are BAD and nail it to their office door.

   • Embed this notice
     Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Tuesday, 23-Jan-2024 19:53:30 JST Jake Hildreth (acorn) :blacker_heart_outline:

     in reply to

     @rmd1023 Periodic password changes are bad, but there are other requirements in NIST 800-63B that must be in place before eliminating password changes.

     For example: password filtering (to prevent the creation/continued use of weak/compromised passwords) and password storage requirements are an integral part of 800-63B.

     if MyChart is unwilling or incapable of providing the additional protections required, periodic password changes are the superior choice.

     Ultimately, the best solution is for MyChart to take the steps required to eliminate password changes, but there’s so much for to 800-63B than “if you like your password, you can now keep it as long as you like!”

   • Embed this notice
     HTTP 1.1/418 Resistance Teapot (rmd1023@infosec.exchange)'s status on Tuesday, 23-Jan-2024 21:09:46 JST HTTP 1.1/418 Resistance Teapot

     in reply to

     • Jake Hildreth (acorn) :blacker_heart_outline:

     @horse Oh it's absolutely more complicated than just "keep your password". And I think it may be a setting from my hospital, rather than Epic. But this is ranting on the internet with some Top Insights (those letters may not be in the right order), not writing an coherent engineering statement.