Hacker News new | past | comments | ask | show | jobs | submit
kube-system | on: Apple decided not to roll out Siri in EU after denied request for exemption
Respectfully, it sounds like you just haven't dealt with any significant tax or regulatory tasks.

There's entire industries of experts who work on these tasks, and they don't just work for people trying to skirt the rules. I've hired people for both tasks and the reason was specifically to comply.

MBCook | parent
Not privacy, but as an example:

NIST, MS, and the security community all recommend against forcing people to change their passwords on fixed intervals. They should only be changed when there is an indication they have been compromised.

PCI requirements demand mandatory 30 day rotation intervals on user passwords for users with administrative privileges, IORC. Something like that.

They haven’t kept up. So until they change the rules you can either be PCI compliant or implement the current best practice. Not both.

kube-system | root | parent | next
And where the complexity comes in is where you need to comply with PCI and NIST 800-63 at the same time.
mike_d | root | parent
Your example completely ignores the temporal dimension.

The best practice was to rotate your passwords, but we discovered that this led users to picking less secure and easier to remember passwords and patterns.

Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed.

PCI used to mandate password changes for in-scope accounts (meaning they have access to credit card flows). Now that MFA is widely deployed that requirement only remains for accounts that do not have a second factor for authentication.

If you were ahead of the curve and implemented strong password policies that did not conform the the PCI baseline, all you had to do was explain to the auditor why. Assuming what you were doing genuinely increased your security posture it would be approved.

kube-system | root | parent
They specifically addressed the temporal element:

> They haven’t kept up.

Other standards all used to recommend password rotation. Most have amended it to deprecate or even prohibit password rotation.

> Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed

It wasn’t just that.

The original recommendation for password expiration failed to take into account the human practices that resulted.

Everyone has worked in an office with passwords on post-it notes, or seen passwords numbered with sequentially incremented integers at the end. Password rotation isn’t merely a baseline level of assurance, it has a negative impact on security because of the effect it has on password hygiene. In practice, passwords that expire can be easily guessed by appending something to the end of the prior password. And they are more likely to be written down in plaintext.

Permanent, non-expiring passwords without MFA are stronger in practice than expiring passwords.