Check out § 5.1.1.2 ¶ 9.    "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)".  I know, I know... everyone's gut reaction is "that's stupid; why would anyone recommend that?".  Well, go read Appendix A of the very same document for the rationale.

---

@ivanborgiey wrote:

Why is the answer is No expiration? I checked the NIST 800-63b but I didn't find anything about it

---

Look at 10.2.1 Intermittent Events:

"Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."

I think this gets overblown as "Don't change passwords." What NIST is saying is don't force users to change an effective password because, eventually, they will probably choose a bad one. This doesn't mean users, at their own choosing, shouldn't occasionally change their password. Or that security awareness training should discourage users from changing their passwords from time to time.

NIST suggests passwords should be checked against known breaches, and if a password matches one in such a breach, it should be changed. But if you are following other NIST recommendations (e.g., 32-bit unique salt on the passwords), the only time those passwords can effectively be checked is when the users set them. An "unbreakable password" 10 years ago is probably quite broken today. Users should still be changing passwords but it should be on their terms.

I must agree with you!  To never let a password expire is not safe.  The default for Windows Server is even 90 days if I am not mistaken.  

PS.  On which platform did you do these tests?

For my two cents, THIS is a terrible question and should not be used.

My thinking, one should know about NIST, etc. but if I am in a local manufacturing environment in Ireland, I probably do not care about NIST nor does my employer.

(ISC)2 has always maintained they are vendor independent and I believe that this level of knowledge is getting too far down in the weeds and becoming US Gov't. specific.

d

 As of 2023, NIST has requested comments on their newest revision of 800-63 (Digital Identity Guidelines). And as recently as 2020, NIST revised their password guidelines to emphasize password length over complexity, salting and hashing stored passwords, MFA, and making it easier for users to adhere to password security policies. Additionally, organizations should not require their employees to reset their passwords more than once per year, and they should monitor new passwords on a daily basis, testing them against lists of common and compromised passwords. Finally, NIST has identified a number of threats to authentication security, including password security, that businesses and industry professionals should keep in mind.

Recently i passed my SSCP exam. I got the SSCP practice test from p2pexams and it was useful for me. By practicing with this practice test i got familiar with format of the actual exam and types of questions. This familiarity reduced my anxiety and increased my confidence level. It helped me identify and overcome my weak areas. I got key exam knowledge that helped me in passing my exam. Many questions in the final test came from this practice material.