SSCP practice exam question. - Page 2

ivanborgiey · ‎09-04-2023

I have a question regarding this matter.

Why is the answer is No expiration? I checked the NIST 800-63b but I didn't find anything about it

DarkCerberus · ‎02-06-2025

It's stated that we are no longer supposed to enforce password changes. In other words, we cannot "force" a user to change their password.

dcontesti · ‎02-06-2025

I admit that I have not read the entire thread BUT the question is wrong.

According to NIST 800-63B

No forced password changes:
Avoid forcing users to change their passwords frequently, as it often leads to users creating weaker passwords.

The header of that section is misleading. You MUST read the entire document.

REALLY terrible question.. Should be corrected for removed from the Materials< Where did this question come from? Is this from an ISC2 publication?

Regards

d

xuiopika · ‎09-18-2025

Passing SSCP felt easy after preparing with Passexam-hub. Their questions were so close to the real exam. Highly impressed!

akkem · ‎09-18-2025

Agree! NIST guidance, no longer enforce periodic password roatation. Instead requires complex passwords combing with MFA.
https://pages.nist.gov/800-63-3/sp800-63b.html

akkem · ‎09-18-2025

@xuiopika - Congratulations passing on SSCP!

Jaysamfong · ‎09-24-2025

This is what I found: NIST SP 800-63b

Section 5.1.1.2 - Memorized Secret Verifiers states:

"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

Hope this helps! Technologies, tools, and processes do evolve based on evolving threats and evolving of these things mentioned.