2 min Security

Microsoft stepped down from advice to periodically change Windows password

Microsoft stepped down from advice to periodically change Windows password

Microsoft plans to delete the advice that Windows users should periodically change their login password. This specifically concerns accounts that are managed through the group policy.

Microsoft has published a draft of baseline settings for the security configuration of Windows 10 version 1903 and Windows Server version 1903, commonly known as the May 2019 Updates.

The document contains recommended policies regarding groups of users in a company network. Think of rules that restrict certain features and services to prevent abuse, as well as blocking certain features that can be abused by malware to attack the system or network.

Password Policy

Until now, the mandatory change of Windows passwords on a regular basis was also part of this baseline document. Microsoft acknowledges, however, that it is an outdated and superfluous mitigation of little value. The opinion is deleted from the new document because, according to Microsoft, it is no longer worthwhile.

The periodic expiration of a password is only a defence against the probability that a password (or hash) will be stolen during the validity period and used by an unauthorized entity, says Aaron Margosis, principal consultant at Microsoft. If a password is never stolen, there is no need to let it expire. And if you have proof that a password has been stolen, you will probably act immediately instead of waiting for the expiration date to expire to solve the problem.

Choose for yourself

By completely removing the obligation from the baseline, organisations can decide for themselves which password policy to use, without contradicting Microsoft’s advice. At the same time, the company is shifting its focus to the use of long and unique passwords, which are stronger.

Microsoft makes the right decision. Requiring password changes often leads to frustration among users and makes them use simpler passwords by often opting for a variant of the old password instead of a completely new one.

Former chief technologist of the U.S. Federal Trade Commission, Lorrie Cranor, warned about this in 2016: An attacker who already knows a user’s password will probably not be thwarted by a password change. As soon as an attacker knows a password, he can often easily guess the user’s next password.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.