Microsoft recognizes that password expiration policies don’t help — they hurt

Recognizing that mandatory password changes don’t help an organization’s security posture, Microsoft last month announced that the next iteration of Windows 10 Build 1903) would no longer require periodic password changes.

In a post on Microsoft’s Security Guidance blog,

There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication. While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.

This reinforces a larger important point about our baselines: while they are a solid foundation and should be part of your security strategy, they are not a complete security strategy. In this particular case, the small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management. Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards. It simply reinforces that security cannot be achieved entirely with baselines.

Props to Microsoft for making this change.

Password expiration policies are not unlike anti-piracy measures for music and movies: They were conceived and are meant to deter bad guys, but they end up getting in the way of the good guys while failing to stop the bad guys.

Just as no one wants to have to spend thirty minutes downloading and installing a firmware update for their Blu-ray player to make a disc playable, no one likes having to change their password when they log in simply because some amount of time has passed.

If a password is set to expire every thirty days, then that means a user will be asked to change their password twelve times every year. To deal with this annoyance, users can be expected to — as said — make “small and predictable” alterations to their previous password.

A strong password stored securely in an electronic vault is better than a password that is frequently changed. Instead of setting and insisting on password expiration policies, information technology departments should require the use of password management tools, and join independent cybersecurity professionals in encouraging everyone to also set up their own password management tool for personal use.

POSTSCRIPT: Need a password manager for personal use? Try Dashlane or 1Password. Need one for a small team that doesn’t cost anything? Give CommonKey a look.

Written by Andrew