Microsoft Guidance Suggests Ditching Worthless Password Expiration Policies
Aaron Margosis the Principal Consultant with Microsoft Public Sector Services, recently remarked that, “periodic password expiration is an ancient and obsolete mitigation of very low value.” Margosis first noted that the amount of time between password changes is ridiculously long. If a password has been stolen, then the account password needs to be changed immediately. A 60-90 day interval will not prevent this stolen password from being used by a thief. If a password has never been stolen, then there is little reason to change it. Periodic password changes do not guarantee the safety of your account.
Human behavior also tends to sabotage account security. If a person must choose their own password, they will typically choose something that is easy to remember or is a variation of an existing password. If a person must change their password to something more complicated, they will likely record this password elsewhere. Both of these behaviors threaten security.
What does Microsoft recommend to companies that use their products? First, Margosis pointed out that experts suggest enforcing “banned” passwords, encouraging multi-factor authentication, and increasing cybersecurity measures. If a company is vigilant, then password expirations are redundant.
Margosis also suggested that Microsoft should eventually disable the defaults for Administrator and Guest accounts. In his plan, guest accounts would be automatically disabled and could only be enabled by administrators. He also suggested new guidelines for administrative accounts. He recommended that there be only one admin local account enabled per computer and that admin passwords be unique and difficult.
Many companies are already moving away from passwords. Google and FIDO have announced that Android is now certified to support the FIDO2 standard. Users will be able to log-in to various accounts with a dongle or fingerprint scan.
Microsoft hopes to eliminate password expirations, but they will maintain requirements for minimum password length, history, and/or complexity. It is also important to note that at the moment, these policies are merely proposals. Microsoft hopes to get feedback from Windows 10 users. At the end of the day, it will be up to individual companies to consider eliminating this outdated policy. Hopefully Microsoft will soon offer new, tighter security features.