Microsoft apparently now believes that having passwords expire – in other words, a method whereby the consumer is forced to alter their login password every, say, six months – isn’t a useful security measure.
Inside a new draft bit of security guidance, Microsoft has changed its baseline rules for the following form of Windows 10 (the imminent May 2019 Update – as well as Windows Server) to decrease strategies for “password-expiration policies that require periodic password changes”.
Microsoft argues that when people are forced to create passwords which are hard to remember, they’ll often write them down to make sure they are easier to recall, with obvious major security risks therein. And, when folks have to change passwords, “too often they’ll create a small and predictable alteration for their existing passwords, and/or forget their new passwords”.
Microsoft’s post on TechNet further explains: “Recent scientific research calls into question the need for many long-standing password-security practices for example password expiration policies, and points instead to higher alternatives for example enforcing banned-password lists (an excellent example being Azure AD password protection) and multi-factor authentication.”
The argument will be made that if it’s a “given” that a password will probably be stolen from the user, how long is definitely an acceptable time to permit the thief to continue to use and potentially abuse that login?
Windows’ default happens to be 42 days, that the post notes: “Doesn’t that seem like a ridiculously long time? Well, it is, but our current baseline says Two months – and accustomed to say 90 days – because forcing frequent expiration introduces its very own problems. And if it’s not a given that passwords will be stolen, you acquire those trouble for no benefit.
“Further, if your users are the kind who’re prepared to answer surveys in the parking lot that exchange a candy bar for his or her passwords, no password expiration policy can help you.”
That is, obviously, a fair point, and Microsoft’s conclusion is the fact that having passwords expire over set amounts of time is an “ancient and obsolete mitigation of very low value”, and the firm doesn’t believe it’s worthwhile for the Windows baseline security guidelines to enforce any sort of value on this.
In other words, companies are liberated to do whatever most closely fits them, with Microsoft not coming to a tips about this front moving forward.
Observe that this is only a draft document right now, meaning that these are merely proposed changes, but Microsoft certainly has put a weighty argument behind the move.
Of course, this (potential) switch in security stance is guidance for businesses, and so obviously doesn’t affect folks running Windows 10 at home. However, many of us use password-protected systems or services of one sort or another at work, which usually have periodic forced password reset policies.
Which means this draft document could lead to a rethink of said policies, given Microsoft’s fairly forceful arguments as stated – and perhaps the pain of having to change your password regularly at work may soon be considered a thing of the past, replaced by better and more apt modern security measures for example multi-factor authentication.