Microsoft: Consider Dropping Password Expiration Policies

microsoft-password-expiration-policiesMicrosoft is changing their baseline for password-expiration policies in Windows. The proposal is a move from the previous policy that requires users to change their login passwords periodically.

In the company’s new security configuration baseline draft for Windows 10 v1903 and Windows Server v1903, periodic password requests (i.e., changing login passwords at pre-set time intervals or the recommended 60-day password expiration policy) will be removed from their baseline. Microsoft says recent research calls into question the long-standing password expiration policies. They encourage additional protections for stronger authentication and cite better alternatives such as enforcing banned-password lists.

Aaron Margosis, a principal consultant for Microsoft, explains that previous security practices led to weaker security due to new passwords typically being based on old ones. Often, users compelled to regularly change passwords only made small and predictable changes to existing passwords, or even forget new ones.

While Microsoft argues that periodic password expiration is an outdated security measure, the guidelines are only proposed recommendations. Organizations can set their own security practices, setting a password expiration date or none at all, that best suit their needs.

Microsoft isn’t the only tech company looking into alternatives to passwords. Google, for instance, has been testing USB key fobs that plug into computers and provide a second factor of login authentication. The company reported that the method has reduced successful phishing attempts against its employees.

The U.S. National Institute of Standards and Technology (NIST) has also overhauled its guidance for password rules, dropping periodic password changes and complexity requirements.

Best practices for users

Weak passwords are often used in malicious attempts, from basic phishing attacks to complex hacking campaigns. Default passwords, for instance, have been taken advantage of by hackers to access multiple accounts using common passwords. It’s a simple yet effective way to gain unauthorized access to systems.

Aside from banning default and easily-guessed passwords, organizations should practice two-factor authentication (2FA) in their login practices, involving the use of a password in combination with another form of identification such as code/numbers sent to the user’s phone.

Users are urged to adopt 2FA for any sites that may offer it, from online banking to social media sites and email accounts. Typically, sites have the 2FA option in the Security & Privacy settings, where login verification requests to a specified number can be enabled. This method prompts users to enter their password, as well as the code sent to them each time they log into the site.

[GUIDE: How to Set Up 2FA on Popular Sites]

Administrators can also consider employing the detection of password-guessing attacks and anomalous login attempts. Secure systems like hardware tokens and app authenticators are also recommended. Users, ultimately, should prioritize using strong and unique passwords. Avoid passwords known to be included in data breaches and hacking campaigns such as 123456, password, or qwerty.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.