Microsoft wants to kill Windows password expiration policy

If you employ Windows Group Policy at your company, then you may enforce password expiration, which compels users to change their Windows passwords every 42 days or at some other interval. Now Microsoft is questioning the effectiveness of password expiration, to the point that it wants to remove that requirement for the next version of Windows 10.

In a Wednesday blog post, Microsoft detailed a draft of security configuration baseline settings for Windows 10 version 1903 and Windows Server version 1903, which are due for release in late May. Among the several draft settings proposed, the removal of the password expiration policy is the one that will likely affect organizations and IT administrators the most.

SEE: Password management policy (Tech Pro Research)

In its desire to drop the password expiration requirement, Microsoft argues that the policy is outdated and ineffective. The main purpose of periodically changing your Windows password is to prevent the wrong person from using it if that password had been stolen. But if the password is never stolen, there's no reason to change it. And if you have evidence that the password had been stolen, you would change it immediately rather than wait for some predefined expiration date.

"If it's a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password?" Microsoft asks in its blog post. "The Windows default is 42 days. Doesn't that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days - and used to say 90 days - because forcing frequent expiration introduces its own problems. And if it's not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you."

Microsoft's contention is that instead of enforcing password expiration, organizations and administrators should focus their efforts on more advanced and effective security methods. That means using such defenses as banned-password lists, multi-factor authentication, the detection of password-guessing attacks, and the detection of anomalous logon attempts. And if you have those factors in place, do you still need to force your users to change their passwords?

"Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value," Microsoft added in the post. "By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines."

Microsoft is asking customers to review the proposed changes and offer any comments via the blog post.

Also see