Microsoft apparently now believes that having passwords expire – in other words, a method whereby the consumer is forced to change their login password every, say, 6 months – isn’t a useful security measure.
In a new draft piece of security guidance, Microsoft has changed its baseline rules for the next form of Windows 10 (the imminent May 2019 Update – as well as Windows Server) to drop strategies for “password-expiration policies that require periodic password changes”.
Microsoft argues that whenever people are instructed to create passwords which are hard to remember, they’ll often write them right down to make sure they are simpler to recall, with obvious major security risks therein. And, when folks are forced to change passwords, “too often they’ll create a small , predictable alteration for their existing passwords, and/or forget their new passwords”.
Microsoft’s post on TechNet further explains: “Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives for example enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication.”
The argument will be made that if it’s a “given” that the password is likely to be stolen in the user, just how long is definitely an acceptable time for you to permit the thief to carry on to use and potentially abuse that login?
Windows’ default is currently 42 days, which the post notes: “Doesn’t that appear just like a ridiculously long time? Well, it is, and yet our current baseline says Two months – and accustomed to say 90 days – because forcing frequent expiration introduces its very own problems. And when it’s not really a considering that passwords is going to be stolen, you acquire those problems for no benefit.
“Further, in case your users would be the kind who’re prepared to answer surveys within the parking area that exchange a candy bar for his or her passwords, no password expiration policy can help you.”
That’s, of course, a fair point, and Microsoft’s conclusion is that having passwords expire over set periods of time is an “ancient and obsolete mitigation of really low value”, and also the firm doesn’t believe it’s worthwhile for that Windows baseline security guidelines to enforce any specific value about this.
Quite simply, information mill liberated to do whatever best suits them, with Microsoft not making any recommendations on this front moving forward.
Note that this is only a draft document right now, and therefore these are just proposed changes, but Microsoft certainly has place a weighty argument behind the move.
Of course, this (potential) switch in security stance is guidance for businesses, and so obviously doesn’t affect folks running Windows 10 at home. However, a lot of us use password-protected systems or services of one sort or another at work, and these usually have periodic forced password reset policies.
So this draft document could lead to a rethink of said policies, given Microsoft’s fairly forceful arguments as stated – and maybe the pain of getting to modify your password regularly at work may soon be considered a subject put to rest, replaced by better and much more apt modern safety measures for example multi-factor authentication.