In a blog post today about Security baseline (DRAFT) for Windows 10 and Windows Server, Microsoft admitted that those pesky password-expiration policies that require periodic password changes are basically useless. Scientific research suggest this, as we are forced to pick difficult passwords to remain secure, by the time we need to change the password we look for minor variations of said password just so we won’t forget it (guilty!). But with that being said, changing the password only protects against people who already have our passwords, and if we are aware of that it’s better to be proactive and just change the password anyways without waiting for the expiration period.
To reassure it’s users, Redmond does want you to know that it’s not leaving anyone unsecured. There are better alternatives such as enforcing banned-password lists, multi-factor authentication, and of course bio-metric passwords that the company is looking toward. Password expiration periods are a “low-value” security setting, and users should look for a more complete security strategy.
“Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.” wrote Aaron Margosis.
Though stated in the blog post, the company is not enacting this idea as of yet. It’s just making the case of why the policy is ancient with little value, and the methods that organizations can and have been taking to better protect themselves.