Microsoft announced in a recent blog post that they will be reconsidering their stance on password expiration policy for Windows users. For years Microsoft encouraged administrators to expire users’ passwords every few weeks. The initiative was thought to have made it harder for credentials to be stolen. However, Microsoft Principal Consultant Aaron Margosis identified foreseeable user issues when asked to frequently change passwords. Some of these issues are:
- User picked password can be easy to guess or predict.
- When users are asked to change credentials frequently, they’re more likely to make a small or predictable change alteration to their existing password. E.g. P@$$word1 becomes P@$$word2. In theory, this defeats the purpose of resetting the password periodically.
- Users will be inclined to write out their new password to remember it which could jeopardise their account.
Whilst Microsoft has dropped the expiration policy for Windows users, they still plan to keep their baseline requirements such as minimum password length, history, and complexity. Although the policy has been dropped, Microsoft still plans to have it as an option for organisations should they wish to keep it.
Ways to combat password issues
Margosis wrote that whilst they are removing the expiration policy, it does not necessarily mean that they are “lowering security standards”. Instead, Margosis proposes alternative security measures such as:
- Banned password lists or complexity requirements to stop guessable or simple words from becoming a password.
- Multifactor authentication to require multiple modes of authentication, not just a password. For example, the Office 365 Authenticator app requires you to approve or deny login requests from your phone before your login.
- Reinforcing basic password policies such as minimum 14 character passwords that have a mix of upper and lower case letters, numbers and special characters.
Microsoft has pioneered the abandonment of frequent expiration. They uphold that with other security baselines in place, the removal of this policy won’t jeopardise your credentials.
Chat to us about business security today on 1300 300 293
