Technology
Microsoft realizes password expiration is poor security
Image: Drew Angerer/Getty Images
Follow @https://twitter.com/PCMag
PCMag.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.
Thinking of a secure password is hard, so demanding a user change it every 60 days fills many with dread and leads to weaker security. Microsoft has realized this and decided to remove default password expiry as a security baseline feature in Windows 10.
When organizations deploy Windows 10 to tens, hundreds, or even thousands of employees, default security out the box is very important. That’s why Microsoft provides Windows security baselines, which consist of a group of Microsoft-recommended configuration settings that can be relied upon to provide a more secure operating system.
As part of the baseline, Microsoft in the past stipulated a 60-day password expiration policy, which meant every user was forced to change their password every couple of months (unless an organization changed the configuration). As Ars Technica reports, with the release of Windows 10 v1903, password expiration is being dropped from the baseline because it’s actually detrimental to security.
Microsoft explains in its latest draft security baseline for Windows that, “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords … Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it.”
Microsoft also points out that if a password is stolen, the thief has up to 60 days to use it based on this expiration policy, which is ample time to gain entry to a system and cause chaos. So on every level, password expiration simply doesn’t work, which is why it’s disappearing.
Passwords still need to meet a minimum length requirement, be complex enough so as not to be easily guessed, not have been used before, and stored securely. It may still be the case that individual organizations enforce their own expiration policy, but it seems likely the demand for a new password every few months will impact far fewer workers going forward, and that’s a good thing for both their sanity and security.
This article originally published at PCMag
here
Every Samsung Galaxy Unpacked announcement, including S25 phones
10 Sundance films you should know about now
What drives John Cena? The ‘What Drives You’ host speaks out
‘The Brutalist’ AI backlash, explained
OnePlus 13 review: A great option if you’re sick of the usual flagships
‘Night Call’ review: A bad day on the job makes for a superb action movie
How ‘Grand Theft Hamlet’ evolved from lockdown escape to Shakespearean success
If TikTok is banned in the U.S., this is what it will look like for everyone else
‘One of Them Days’ review: Keke Palmer and SZA are friendship goals
‘Back in Action’ review: Cameron Diaz and Jamie Foxx team up for Gen X action-comedy
What’s new to streaming this week? (Dec. 27, 2024)
2025’s public domain works and how you can use them, from Popeye to ‘The Sound and the Fury’
The greatest ’90s films on Prime Video
How to watch ‘Wicked’ at home: Release date, streaming deals, and more
CES 2025 highlights: 12 new gadgets you can buy already
‘American Primeval’ review: Can Netflix’s grimy Western mini-series greatest ‘Yellowstone’?
Tesla launched the new Model Y in China. Here’s what you need to know
Eight ways Mark Zuckerberg changed Meta ahead of Trump’s inauguration
Meta ditches fact-checking for community notes ahead of second Trump term
Space calendar 2025: Here are the moments you won’t want to miss
Every Samsung Galaxy Unpacked announcement, including S25 phones
10 Sundance films you should know about now
What drives John Cena? The ‘What Drives You’ host speaks out
‘The Brutalist’ AI backlash, explained
OnePlus 13 review: A great option if you’re sick of the usual flagships
‘Night Call’ review: A bad day on the job makes for a superb action movie
How ‘Grand Theft Hamlet’ evolved from lockdown escape to Shakespearean success
If TikTok is banned in the U.S., this is what it will look like for everyone else
‘One of Them Days’ review: Keke Palmer and SZA are friendship goals
‘Back in Action’ review: Cameron Diaz and Jamie Foxx team up for Gen X action-comedy
-
Entertainment7 days agoWhat’s new to streaming this week? (Jan. 17, 2025)
-
Entertainment6 days agoExplainer: Age-verification bills for porn and social media
-
Entertainment6 days agoIf TikTok is banned in the U.S., this is what it will look like for everyone else
-
Entertainment6 days ago‘Night Call’ review: A bad day on the job makes for a superb action movie
-
Entertainment6 days agoHow ‘Grand Theft Hamlet’ evolved from lockdown escape to Shakespearean success
-
Entertainment6 days ago‘September 5’ review: a blinkered, noncommittal thriller about an Olympic hostage crisis
-
Entertainment6 days ago‘Back in Action’ review: Cameron Diaz and Jamie Foxx team up for Gen X action-comedy
-
Entertainment6 days ago‘One of Them Days’ review: Keke Palmer and SZA are friendship goals
