According to SP800-63B, how often should passwords be changed?

The guidance provided in SP800-63B suggests that passwords should not be changed on a fixed schedule, such as every 30, 45-90 days, or any other periodic timeline. Instead, the recommendation emphasizes that users should change their passwords only when there is evidence of compromise. This approach is based on the understanding that frequent, mandatory password changes can lead to weaker password practices (such as users creating simpler passwords or writing them down) and can create user fatigue.

The options provided, including the one selected, imply a requirement for periodic changes, which does not align with SP800-63B's guidance. The correct interpretation emphasizes that user security is more effectively maintained through a focus on preventing compromise rather than adhering to arbitrary timeframes for password changes. By ensuring users change their passwords only when necessary, security practices can promote better overall password strength and diminish the risk of breaches stemming from poor password management.