Microsoft recently unveiled a new policy update that’s caught many users by surprise: They have decided to do away with the time-honored tradition of required, regular, password resets. Sometime during May, 2019, Microsoft revealed that it is eliminating the expiring password policy in its security configuration baseline settings for Windows 10 v1903 and Windows Server v1903.
The previous policy outlined that any password used to access user accounts needed to be changed every 42 days; a concept most people are incredibly familiar with; however, due to increasing concerns from security experts, along with policy changes from the US National Institute of Standards and Technology, Microsoft has decided to change their practices in order to better be in-line with national standards.
It is worth noting that Microsoft is not changing their polices regarding password length, complexity, or bad passwords, but the removal of regularly scheduled password updates.
What caused Microsoft’s change of heart?
Interestingly, it turns out that regularly changing logon passwords has had the opposite effect of what was originally intended. Instead of refreshing passwords so that potentially stolen ones cannot be used, it has paradoxically had the opposite effect and made password security significantly weaker.
There are three major reasons why mandatory password updates at regular intervals actually hurts user security.
Forcing users to constantly update passwords results in weaker, less sophisticated passwords.
It should not come as much of a surprise that requiring users to constantly update or change their passwords is going to result in less sophisticated passwords. When companies require routine password changes, what typically occurs is that users will either pick something mundane or simple to remember.
“When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.”
Furthermore, it has been shown that when users are forced to regularly come up with new passwords, they will consistently create ones which are increased numeric strings of previous passwords, or simply recycle the same simple password everywhere they go—either way these practices do nothing to benefit security.
Arbitrary password updates at certain time intervals have no meaningful benefit for security.
What is the logic behind regularly changing a password in the first place? The concept, in theory at least, is that if an individual manages to get their hands on your password, you will change it eventually, and, said individual will no longer have access to your data.
The minimum interval set by Microsoft is 42 days. That’s nearly six weeks someone could have your password. It doesn’t make a lot of sense, does it? The truth is, if someone does manage to gain access to a hashed password, it will not take them five to six weeks to utilize that information, but from mere hours up to a day. A much better practice is to ensure that hackers are unable to get your information from the get-go. It’s cyber-triage for when the focus should be on prevention.
“If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time?”
Companies often focus on compliance with audit guidelines—not actual security.
Oddly, the final reason behind the change was the fact that many companies were placing compliance, over security. A number of firms adhere to Microsoft’s security guidelines; furthermore, there are often external audits third-party companies ensuring that any company running Microsoft services is up to date and compliant with the policies laid forth. As such, it became a common practice to adhere to the Microsoft Security Guidelines as strictly as possible, without actually considering how it impacted security.
Security, safety, and privacy are an ever evolving landscape within the online world. As we progress and understand the science behind what works and what doesn’t, expect many more changes like this in the future—who knows, one day we may do away with passwords all together.