Microsoft Corporation announced this week that it plans to eliminate password expiration policies from its forthcoming new security configuration baseline settings for Windows 10 version 1903 (19H1) and Windows Server version 1903.
Essentially, organizations who adopt these recommended settings will no longer require their users or employees to update their credentials on a recurring basis, as a defense mechanism against hackers.
The move might sound like antithetical to sensible security practices, but Microsoft's reasoning is that people who are forced to regularly change passwords often make trivial and easily predictable changes to their credentials, or they end up forgetting their newest version.
Aaron Margosis, principal consultant with Microsoft Public Sector Services, called periodic password expiration an "ancient and obsolete mitigation of very low value" in an April 24 company blog post revealing a draft release of the new settings, which are slated to go live in a May 2019 update. On the other hand, Microsoft's settings will continue to incorporate factors such as a password's length, complexity and history (i.e. it's been previously compromised or blacklisted).
"Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there's no need to expire it," continued Margosis. "And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem."
Similarly, the National Institute of Standards and Technology (NIST) recently issued its own set of guidelines recommending the elimination of periodic password changes.
"Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists... and multi-factor authentication," said Margosis.
However, Microsoft's baselines do not express or enforce such practices, so companies must pursue this independently. Organizations whose systems run on Windows can also continue to practice password expiration if they so choose.
Additionally, Microsoft has proposed dropping the enforced disabling of built-in Administrator and Guest accounts.
