As others have stated, the human behavior aspect of security is going to be a weak spot with passwords written on post it notes or stored in password managers that become compromised. Users that reuse their passwords across accounts is also a huge issue. Enabling and requiring 2FA on accounts should help alleviate the issue and cut down on account compromises. Another tried and true security measure is locking the account after a certain amount of failed login attempts.
In general I like the new ruling, but somthing about "No more expiration without reason" just doesnt feel right.
It shouldn't happen, but we know that users sometimes "share" accounts with each other and that occaisionlly, the leavers process misses an account.
Password expiration is at least a partial control for those events.
As many have stated, 2FA is probably the answer. I don't know why NIST have not mentioned it in the ruling.
Oh the irony....
I just created my account on here to comment on this post, and when creating my account I ran into this:
Password management is an increasingly burdensome task, for the average user and for enterprise level situations.
I think such frameworks and guidelines are a great starting point...
In January 2017, the French Data Protection Authority (CNIL) is adopting a recommendation on passwords to guarantee minimum security in this respect. It is also providing businesses and citizens alike with practical tools.
I like many of the new recommendations. I've always been a big fan of making password policies user friendly and allowing longer passphrases and elimination of odd requirements. Non-expiring passwords in an interesting twist that I hadn't given much thought to. It seems to be in practice in many banking websites, so I'm curious to see if that continues to take off.