Few things are as annoying as companies forcing users to change their passwords every so often. Most firms say it’s a security measure to keep people safe, but Microsoft is dropping the policy, admitting that password expirations don’t actually improve online security.
Microsoft has outlined the new security settings that will apply to Windows 10 version 1903 and Windows Server version 1903. “When humans pick their own passwords, too often they are easy to guess or predict,” writes Microsoft’s Aaron Margosis. “When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”
Margosis says there are better alternatives to password expiration policies, including banned-password lists and multi-factor authentication, but Microsoft cannot enforce these with its recommended security configuration baselines.
One of the main problems is that password expirations only protect users when a password has been stolen. If this does happen, most people will quickly realize and do something about it straight away, rather than wait up to 42 days before being made to change the password.
“…forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit,” added Margosis.
Other password policies such as requiring a minimum length and a combination of letters, numbers, and symbols will remain.
It was revealed earlier this week that millions of people still use 123456 as their password.