This is good news.
This comes about a year after NIST said the same thing.
Now the next step is getting major corporations to take heed. I have to log in to half a dozen different programs at work to do my job. Most of the programs expire passwords after 45 or 90 days.
It’s even more fun when you use a smart card to login everyday, but STILL have to change the password you never use every 90 days. So I get to call to reset my password, so I can login to change my password, so I can logout and relogin with my smart card.
I especially hate the periodic emails that say “Someone tried to log into your account. But your password/security questions stopped them. So you must change your password/security questions.” I guess they want me to pick an easier-to-guess password.
At my last job, I was able to get our policy changed so everyone had to pick a long password, but the password never expired. One wrinkle, though, is that some regulations (e.g., HIPAA) still require password expiry. I think PCI-DSS does too, but I don’t remember for sure offhand. So some organizations that might want to do away with it are prevented from doing so.
Luckily, I didn’t have to deal with those issues at my last job.
I haven’t changed my gmail password in an extremely long time, probably over a decade. I suspect that Google knows a whole lot more about real password security than the corporate drones at most large firms who are not in the computer business. I don’t see why if you just use a salted hash to store it that you’d ever worry about needing to change it. There’s literally no information you can get from a properly implemented salted hash. I assume that’s what they do at the mega tech giants for whom I never have to change the most useful password that could possibly be stolen from me.
I have to change my work password every three months for two different systems. They originally were not the same password and didn’t expire on the same day. After the first round of that cycle, things definitely changed. Now they are the same password, and when one expires, I change the other one immediately after the one expiring.