Microsoft Ditches Mandatory Password Expiration: What to Do Instead
Earlier this month, Microsoft issued an exciting announcement regarding passwords. Now, “exciting” and “passwords” aren’t two things that normally find themselves together in the same sentence. However, this news is the most significant change in Microsoft’s password policy recommendations in nearly three decades. In a recent blog post, Microsoft announced plans to remove regular mandatory password changes from its recommended security baselines.
Microsoft didn’t mince words in the post either. Aaron Margosis, the author and a principle consultant with the tech giant, dubbed regular password changes as an “ancient and obsolete” policy. Margosis’ words are harsh considering the policy is one Microsoft has long championed. However, they are also very much in-step with the industry’s current direction. In fact, mandatory password resets have been looked down upon by cyber security experts, standard-keepers such as the National Institute of Standards and Technology (NIST), and more for quite a while.
Why the about-face from Microsoft? Well, the company’s reasons align with the points others have made. Perhaps most notable is that regular password changes do little to make user accounts safer. Actually, they achieve just the opposite. Forcing users to reset their password every 60, 90 or however many days can encourage bad habits. Instead of developing long, complex passwords that randomly mix letters, numbers, and symbols, users may opt for a more familiar pattern. One that is easy to remember and easy to tweak after XX number of days. Usually that also means it will be easy for cyber criminals to crack. Or, in order to remember their constantly-changing, highly-complex password, they may write it down and keep it nearby, yet another worst practice.
Elsewhere in his post, Margosis pointed out another flaw in the logic behind mandatory password resets. He noted that forcing password changes is only helpful in the event that a password is compromised during a given period – and security knows about it. However, if that happened on day 37 of a 60 day cycle, it’s doubtful anyone would wait another 23 days until it expired to change a password. Ideally, it would be changed immediately. After 60 days, if a password hasn’t been compromised, what would be the point of changing it really be? As he concludes, if there’s little benefit to changing an uncompromised password, but there are negatives (see above), than the old model does more harm than good.
There are a few other items worth noting from the post. Microsoft isn’t tinkering with any of its recommendations regarding password length, history or complexity. It’s also sticking to its guns about the benefits – and there are many – of multifactor authentication (MFA). The new passwords directives don’t extend across the Microsoft spectrum, as mandatory resets will continue to be the default in Windows Server versions.
Life after mandatory regular password changes
So, if mandatory expirations are no longer part of a complete password security posture, what is? Here are a few items from Microsoft’s post and our experts:
- Leverage the aforementioned MFA to validate the identities of those trying to log on to the corporate network
- Ban notoriously weak or easily-guessed passwords, e.g., password and any variation of that
- Monitor for attacks in which cyber criminals try to guess credentials using huge volumes of passwords
- Be on the alert for impossible or even simply out-of-character login attempts and be ready to follow up as needed
Next Steps: Secure your network against unauthorized access
Want to learn more about Microsoft’s revised password guidance and the steps your organization can take to keep user identities secure? Visit https://www.arrayasolutions.com/contact-us/ to connect with our in-house teams of experts. They can provide additional insights into this news and help you audit and, if necessary, enhance your security posture.
We want to hear from you! Leave us your comments on this or any of our blog posts via social media. Arraya is on LinkedIn, Twitter, and Facebook. After you’ve shared your two cents, follow us to stay up to date on our industry insights and exclusive learning opportunities.