Microsoft Password Change Recommends End to Expiration Dates

Breaching a network via a user credential vulnerability is a common attack vector -- yet a recent Microsoft password change suggestion now leans towards a recommendation that companies no longer require users to change passwords after a certain period of time passes. The goal is more secure passwords and less need to write passwords down in non-secure places.

Richard Hay, Senior Content Producer

April 26, 2019

3 Min Read
Microsoft Password Change Recommends End to Expiration Dates

Microsoft always releases a security baseline in draft form when a new version of Windows 10 is about to be made available to enterprise and business customers. This document recommends proposed security settings that help these organizations make the most efficient use of security features across Windows 10 endpoints. The security baseline draft for Windows 10 Version 1903, aka the May 2019 Update, grabbed attention for a new password change policy.

The policy change lines up with government guidelines for handling passwords.

According to the National Institute of Standards and Technology (NIST) special publication SP-800-63B, Authentication & Lifecycle Management, memorized secrets -- another term for "passwords" -- should meet these minimum requirements:

  • At least 8 characters in length but possibly up to 64 characters in length, with all ASCII and UNICODE characters and spaces available in the creation of these memorized passwords (or passphrases). 

  • Passwords which are chosen by the service provider upon enrollment or when requesting a new password must be at least 6 characters in length and generated using an approved random bit generator. 

  • Don't store password hints in any system that is accessible by non-authenticated users.  

  • All new passwords must be checked against lists of commonly used, expected, or compromised passwords. For example, lists of passwords from previous breaches, dictionary words, repetitive characters, and the username or service name should all be considered in this process. Any matches through this check should result in the password being rejected, the user notified why it was rejected, and a prompt to select a new password. 

  • If an account is compromised, then force a change of the user's password. But don't force a change just because a few weeks have elapsed.

There are other suggestions in this standard that should be considered as you establish your password policies, so a full review is highly recommended. 

Microsoft states they understand this is a radical change to a common security-related approach that has been around for a very long time. They are also not suggesting completely abandoning password structure expectations such as length, history, and complexity.

Here is what Microsoft’s Aaron Margosis says about the need to have expiring passwords:

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

Margosis goes on to add:

If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous log-on attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?

Ultimately, a company's leadership is responsible for the security of the customer and employee data that resides across all its resources. Those users with a higher level of data access should be expected to have tighter controls relating to account access including passwords and the breadth of access to company data. Those on the lower level of entry and access should have less stringent requirements but not below minimum standards as discussed above.

The Microsoft password change policy and its publication this week have triggered a lot of discussion across social media between IT Pros, security experts, and users. While those conversations are somewhat mixed, they are happening rather than organizations just sticking with what they believe to be tried and true methods of security around user passwords.

"We have always done it that way" is no longer a valid response when changes are necessary whether it is security or process related. Dropping a password expiration policy could be the first step of an enterprise's move towards not using passwords at all to authenticate user accounts in the future.

Read more about:

Microsoft

About the Author(s)

Richard Hay

Richard Hay

Senior Content Producer, IT Pro Today (Informa Tech)

I served for 29 plus years in the U.S. Navy and retired as a Master Chief Petty Officer in November 2011. My work background in the Navy was telecommunications related so my hobby of computers fit well with what I did for the Navy. I consider myself a tech geek and enjoy most things in that arena.

My first website – AnotherWin95.com – came online in 1995. Back then I used GeoCities Web Hosting for it and WindowsObserver.com is the result of the work I have done on that site since 1995.

In January 2010 my community contributions were recognized by Microsoft when I received my first Most Valuable Professional (MVP) Award for the Windows Operating System. Since then I have been renewed as a Microsoft MVP each subsequent year since that initial award. I am also a member of the inaugural group of Windows Insider MVPs which began in 2016.

I previously hosted the Observed Tech PODCAST for 10 years and 317 episodes and now host a new podcast called Faith, Tech, and Space. 

I began contributing to Penton Technology websites in January 2015 and in April 2017 I was hired as the Senior Content Producer for Penton Technology which is now Informa Tech. In that role, I contribute to ITPro Today and cover operating systems, enterprise technology, and productivity.

https://twitter.com/winobs

See more from Richard Hay
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

robot and human fingers touching
Career Management
Employees Beginning to See Benefits of AI Autonomy in the WorkplaceEmployees Beginning to See Benefits of AI Autonomy in the Workplace
byNathan Eddy
Jul 3, 2024
4 Min Read
cloud-native
Cloud Native
How Cloud-Native Development Benefits SaaSHow Cloud-Native Development Benefits SaaS
byForrester Blog Network
Jun 28, 2024
3 Min Read
abstract string backgroud
PowerShell
Advanced String Manipulation Techniques in PowerShellAdvanced String Manipulation Techniques in PowerShell
byBrien Posey
Jun 28, 2024
3 Min Read