topic Re: SSCP practice exam question. in SSCP Study Group

SSCP practice exam question.

ivanborgiey — Mon, 04 Sep 2023 17:55:13 GMT

I have a question regarding this matter.

Why is the answer is No expiration? I checked the NIST 800-63b but I didn't find anything about it

Re: SSCP practice exam question.

denbesten — Tue, 05 Sep 2023 02:05:55 GMT

Check out § 5.1.1.2 ¶ 9. "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)". I know, I know... everyone's gut reaction is "that's stupid; why would anyone recommend that?". Well, go read Appendix A of the very same document for the rationale.

Re: SSCP practice exam question.

JoePete — Tue, 05 Sep 2023 12:25:59 GMT

@ivanborgiey wrote:
Why is the answer is No expiration? I checked the NIST 800-63b but I didn't find anything about it

Look at 10.2.1 Intermittent Events:

"Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."

I think this gets overblown as "Don't change passwords." What NIST is saying is don't force users to change an effective password because, eventually, they will probably choose a bad one. This doesn't mean users, at their own choosing, shouldn't occasionally change their password. Or that security awareness training should discourage users from changing their passwords from time to time.

NIST suggests passwords should be checked against known breaches, and if a password matches one in such a breach, it should be changed. But if you are following other NIST recommendations (e.g., 32-bit unique salt on the passwords), the only time those passwords can effectively be checked is when the users set them. An "unbreakable password" 10 years ago is probably quite broken today. Users should still be changing passwords but it should be on their terms.

Re: SSCP practice exam question.

Lowveldrider — Tue, 05 Sep 2023 12:26:12 GMT

I must agree with you! To never let a password expire is not safe. The default for Windows Server is even 90 days if I am not mistaken.

PS. On which platform did you do these tests?

Re: SSCP practice exam question.

dcontesti — Tue, 05 Sep 2023 18:56:53 GMT

For my two cents, THIS is a terrible question and should not be used.

My thinking, one should know about NIST, etc. but if I am in a local manufacturing environment in Ireland, I probably do not care about NIST nor does my employer.

(ISC)2 has always maintained they are vendor independent and I believe that this level of knowledge is getting too far down in the weeds and becoming US Gov't. specific.

Re: SSCP practice exam question.

denbesten — Wed, 06 Sep 2023 13:37:48 GMT

@Lowveldrider wrote:
...To never let a password expire is not safe. ...

It is less about about good/bad; it is more about how big the bang for the buck. Appendix A details how NIST compared the alternatives to arrive at its recommendation.

@dcontesti is (as usual) spot-on with her observation that "this level of ~~knowledge~~ detail is getting too far down in the weeds". Practice exam writers seem to relish in testing ones ability to memorize trivia, ignoring the bigger message that expiration is not our only tool and that its effectiveness has been diminishing on it over time.

Re: SSCP practice exam question.

guerrdenn12 — Thu, 26 Oct 2023 22:59:26 GMT

As of 2023, NIST has requested comments on their newest revision of 800-63 (Digital Identity Guidelines). And as recently as 2020, NIST revised their password guidelines to emphasize password length over complexity, salting and hashing stored passwords, MFA, and making it easier for users to adhere to password security policies. Additionally, organizations should not require their employees to reset their passwords more than once per year, and they should monitor new passwords on a daily basis, testing them against lists of common and compromised passwords. Finally, NIST has identified a number of threats to authentication security, including password security, that businesses and industry professionals should keep in mind.

Re: SSCP practice exam question.

denbesten — Fri, 27 Oct 2023 04:09:41 GMT

@guerrdenn12 wrote:
Newest (draft) revision of 800-63... reset their passwords more than once per year.

Could you help me find that in the draft? Line 734 (page 14) of the draft continues to say "Verifiers SHALL NOT require users to periodically change memorized secrets." No mention of "once per year". Perhaps I am looking in the wrong place or there is a newer draft.

Re: SSCP practice exam question.

rubyedixon — Mon, 15 Apr 2024 11:15:27 GMT

Recently i passed my SSCP exam. I got the SSCP practice test from p2pexams and it was useful for me. By practicing with this practice test i got familiar with format of the actual exam and types of questions. This familiarity reduced my anxiety and increased my confidence level. It helped me identify and overcome my weak areas. I got key exam knowledge that helped me in passing my exam. Many questions in the final test came from this practice material.

Re: SSCP practice exam question.

Klusner090 — Thu, 16 Jan 2025 19:59:39 GMT

I came across this explanation while preparing for my exam on p2p-certs. NIST 800-63B advises against setting arbitrary password expiration periods unless there’s evidence of a compromise, making "No expiration" the correct choice.

Re: SSCP practice exam question.

DarkCerberus — Thu, 06 Feb 2025 21:41:48 GMT

It's stated that we are no longer supposed to enforce password changes. In other words, we cannot "force" a user to change their password.

Re: SSCP practice exam question.

dcontesti — Thu, 06 Feb 2025 21:53:45 GMT

I admit that I have not read the entire thread BUT the question is wrong.

According to NIST 800-63B

No forced password changes:
Avoid forcing users to change their passwords frequently, as it often leads to users creating weaker passwords.

The header of that section is misleading. You MUST read the entire document.

REALLY terrible question.. Should be corrected for removed from the Materials< Where did this question come from? Is this from an ISC2 publication?

Regards

Re: SSCP practice exam question.

akkem — Thu, 18 Sep 2025 13:18:56 GMT

Agree! NIST guidance, no longer enforce periodic password roatation. Instead requires complex passwords combing with MFA.
https://pages.nist.gov/800-63-3/sp800-63b.html

Re: SSCP practice exam question.

akkem — Thu, 18 Sep 2025 13:20:12 GMT

@xuiopika - Congratulations passing on SSCP!

Re: SSCP practice exam question.

Jaysamfong — Wed, 24 Sep 2025 17:37:30 GMT

This is what I found: NIST SP 800-63b

Section 5.1.1.2 - Memorized Secret Verifiers states:

"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

Hope this helps! Technologies, tools, and processes do evolve based on evolving threats and evolving of these things mentioned.

Re: SSCP practice exam question.

meyis615 — Wed, 17 Dec 2025 10:21:32 GMT

@xuiopika spam

Re: SSCP practice exam question.

nkeaton — Wed, 17 Dec 2025 13:02:08 GMT

@xuiopika This is a dump site and should not be used. Anyone who posts or advocates use of a dump site risks losing Community access and/or their certification.