Many employers, mine included, has a major problem with passwords. Every few months, or weeks, our passwords expire and must be updated. The average user updates their password with a number (password1 changed to password2) or updates the year or month (password2018 changed to password2019). While this may meet the letter of the law, it defeats the purpose of the expiration in the first place by introducing weak passwords.
Mid last year Microsoft updated the Windows Security Baseline, the suggested security guidelines for Windows products, has removed the password-expiration policy from it’s recommendations. On the surface it sounds like a good idea, but the deeper you go, it gets better.
What is the password-expiration policy
The password-expiration policy is exactly what it sounds like; it is the amount of time before your password expires and must be changed. The policy exists to protect against compromised passwords and accounts. In Windows, the default expiration is 42 days when enabled, however, Microsoft currently recommends 60 days in the current security baseline. Password-expiration was originally introduced to prevent stolen passwords from being used, which seems like a great idea.
However, while attempting to fix one issue, compromised passwords, a new issue was introduced: weak passwords. When a user is forced to change their password too often, a weaker password is typically used. In addition, “it’s not a given that passwords will be stolen, [and] you acquire those problems for no benefit.”1Microsoft Technet Blog
Why the policy removal?
The security baseline exists for well managed IT teams to use with little-to-no modifications. However, technology auditors also use the baseline to check the security of a company. “If a baseline recommends 60 days and an organization with advanced protections opts for 365 days – or no expiration at all – they will get dinged in an audit unnecessarily and might be compelled to adhere to the 60-day recommendation.”2Microsoft Technet Blog This is a big issue. An organization that uses two factor authentication (2FA) with no password-expiration policy, is more secure than one without 2FA. In essence, “if [a company hasn’t] implemented modern mitigations, how much protection will they really gain from password expiration?”
With all of the new forms of authentication and a push for passwordless login, it is no suprise Microsoft is looking to remove the policy from their security baseline. If an account can use 2FA, I implore you to set it up. And while you are at it, you should use a password manager, too.