I would say that password expiration and password rotation are not exactly the same thing. I think expiration has it’s place when pair with login time. Such as, if a user does not log in for X amount of days - begin a timer to expire the password. But rotational password changes harm the overall security posture of the concept of password security.
But, I agree with what @LittlePrimate@feddit.de said below, I don’t think I see how the changing of a password within a password manager would fall under the harmful category. Most managers have a system to actually expedite and simplify the password change process. I don’t think this needs to be used regularly but if you suspect that your account might be included in a breach or some other indication of compromise, then hit that “change me” button.
I would argue that the article’s stance on the “password manager, MFA, login” dance is the more harmful perspective. The MFA process has been significantly simplified and integrated into most login functions. We’re at least beyond the dongle number generator stage of consumer MFA. The combination of MFA and password managers is the primary and most accessible solution to today’s password woes.
I would say that password expiration and password rotation are not exactly the same thing. I think expiration has it’s place when pair with login time. Such as, if a user does not log in for X amount of days - begin a timer to expire the password. But rotational password changes harm the overall security posture of the concept of password security.
But, I agree with what @LittlePrimate@feddit.de said below, I don’t think I see how the changing of a password within a password manager would fall under the harmful category. Most managers have a system to actually expedite and simplify the password change process. I don’t think this needs to be used regularly but if you suspect that your account might be included in a breach or some other indication of compromise, then hit that “change me” button.
I would argue that the article’s stance on the “password manager, MFA, login” dance is the more harmful perspective. The MFA process has been significantly simplified and integrated into most login functions. We’re at least beyond the dongle number generator stage of consumer MFA. The combination of MFA and password managers is the primary and most accessible solution to today’s password woes.