Microsoft apparently now believes that having passwords expire – in other words, a system whereby the user is forced to change their login password every, say, six months – is not a useful security measure.
In a new draft piece of security guidance, Microsoft has changed its baseline rules for the next version of Windows 10 (the imminent May 2019 Update – as well as Windows Server) to drop recommendations for “password-expiration policies that require periodic password changes”.
Microsoft argues that when people are forced to create passwords that are hard to remember, they'll often write them down to make them easier to recall, with obvious major security risks therein. And, when folks are forced to change passwords, “too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords”.
Microsoft’s post on TechNet further explains: “Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication.”
The argument is then made that if it’s a “given” that a password is likely to be stolen from the user, how long is an acceptable time to allow the thief to continue to use and potentially abuse that login?
Windows' default is currently 42 days, which the post notes: “Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit.
“Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.”
That is, of course, a fair point, and Microsoft’s conclusion is that having passwords expire over set periods of time is an “ancient and obsolete mitigation of very low value”, and the firm doesn’t believe it’s worthwhile for the Windows baseline security guidelines to enforce any specific value on this.
In other words, companies are free to do whatever best suits them, with Microsoft not making any recommendations on this front going forward.
Note that this is only a draft document at the moment, meaning that these are just proposed changes, but Microsoft certainly seems to have put a weighty argument behind the move.
Of course, this (potential) switch in security stance is guidance for businesses, and so obviously doesn’t affect folks running Windows 10 at home. However, many of us use password-protected systems or services of one sort or another at work, and these often have periodic forced password reset policies.
So this draft document could lead to a rethink of said policies, given Microsoft’s fairly forceful arguments as mentioned – and perhaps the pain of having to change your password on a regular basis at work may soon be a thing of the past, replaced by better and more apt modern security measures such as multi-factor authentication.