Windows 10: Microsoft ditches its 'ancient, obsolete' expiring password policy

Organizations will no longer get a red mark for not implementing Microsoft's recommended 60-day password expiration policy.
Written by Liam Tung, Contributing Writer

Microsoft co-founder Bill Gates has been predicting the death of passwords for nearly 20 years. They're still with us today, but now the company has decided it's time get rid of one of the sillier rules that helped make passwords a problem in the first place: forced periodic password changes. 

The company plans to drop expiring password policies in its security configuration baseline settings for Windows 10 1903, or the May 2019 Update, and for Windows Server 1903.

"Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value," explains Aaron Margosis, a Microsoft principal consultant. 

Organizations will now be able to pick their own password expiration date or choose not to have one at all. 

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

As Margosis explains, periodically forcing users to pick a new password is a defense only against a valid password or password hash being stolen and used by an unauthorized person. While the policy doesn't offer much protection, it does create headaches that make passwords an even bigger problem. 

"When humans are forced to change their passwords, too often they'll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use."

Microsoft's proposal follows US National Institute of Standards and Technology's (NIST) overhaul of its guidance for password rules two years ago, which dropped periodic password changes and password complexity requirements. 

The update also suggested organizations check that new passwords aren't terrible ones commonly found in data breaches, such as '123456' or 'qwerty' – two that turned up frequently in the UK National Cyber Security Centre's analysis of password breaches to create its list of the worst 100,000 passwords

Microsoft isn't changing its requirements for minimum password length, history, or complexity. It also recommends using tools such as its Azure Active Directory password protection tool, which admins can use to ban common passwords, such as 'password' and variations on them, like 'p@$$word'.  

Margosis details several contradictions in the existing baseline that make password expiration policies completely useless.  At the moment, Windows suggests 42 days, yet the existing baseline is 60 days, and it used to be 90 days. 

"If it's a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn't that seem like a ridiculously long time?" asks Margosis.  

The updated baseline could have a positive effect on organizations undergoing an audit by someone who uses Microsoft's security baseline. 

For example, an organization may have implemented banned password lists, two-factor authentication, and detection of password attacks, yet they may be penalized in the audit if it's found not to comply with Microsoft's 60-day suggestion. 

"It is not unusual for organizations during audit to treat compliance numbers as more important than real-world security," explains Margosis. 

"If a baseline recommends 60 days and an organization with advanced protections opts for 365 days – or no expiration at all – they will get dinged in an audit unnecessarily and might be compelled to adhere to the 60-day recommendation."

More on Microsoft Windows and passwords

Editorial standards