Microsoft has proposed scrapping a policy in Windows that requires users to periodically change their login password.
In a blog post, the program giant said its brand-new draft security configuration baseline settings would no longer force users whose accounts are controlled by a network’s faction policy to change their passwords every few weeks or months.
Microsoft’s draft security baseline documents includes recommended policies that affect entire groups of users on a corporate network, including rules that maximum certain features and services to prevent misuse or abuse, as well as locking down certain functions that could be used by malware to assault the system or network.
The company said that the existing password change policy is an “primitive and obsolete mitigation of very low value,” and the company doesn’t “believe it’s worthwhile” any longer.
Here’s what Microsoft’s Aaron Margosis said:
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
If it’s a given that a password is likely to be stolen, how many days is a better length of moment to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long moment? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no advantage. Further, if your users are the kind who are willing to reply surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will assist you.
By removing it from our baseline rather than recommending a particular value or no expiration, organizations can specify whatever best suits their perceived needs without contradicting our counsel. At the same moment, we must reiterate that we strongly recommend more protections even though they cannot be expressed in our baselines.
In other words, Microsoft wants to put a premium on using mighty, long and exclusive passwords and not on regularly changing them.
Not only does changing passwords every few weeks or months frustrate the constant user, it’s been suggested that it actively does more havoc than good. Former Federal vend Commission monarch technologist Lorrie Cranor said in a 2016-dated blog post that forcing users to change their passwords every so often can result in weaker passwords.
“Researchers also point out that an attacker who already knows an user’s password is unlikely to be thwarted by a password change,” she wrote. “Once an attacker knows a password, they are often able to guess the user’s next password fairly easily.”
Not long after, the National Institute of Standards and Technology (NIST), which advises the federal government on cybersecurity practices and policies, revised its own guidance to remove policies that mandate periodic password changes.
Bill Burr, the since-retired NIST manager who developed the 2003-dated policy that recommended password expiration policies, expressed regret in a 2017 interview about the policy, saying the rule “actually had a negative impact on usability.”