Microsoft has made a move with the most recent version of Windows 10, the May 2019 update. Among the changes introduced, Microsoft has removed the need to change passwords every 60 days. With emerging technology such as 2FA and better breach detection, Microsoft is trying to cut the bungee to password rules developed decades ago and nudge people and companies to better practices.
Most corporate password policies are based on:
- password complexity rules to thwart brute force password crackers
- password rotation rules that stop thieves from using old passwords that have been stolen
- password expiration rules to stop attackers that have used a stolen credential
The advice of a number of security experts is to only force users to change passwords when you believe the existing authentication methods have been compromised.
Uppercase, lowercase, number, symbol - it's the mantra repeated over and over by IT admins when they set password rules. Throw in the requirement to change those passwords every 30 days or so, and not repeat an old password or even have characters in the same place over some arbitrary cycle and you suddenly have a complex set of rules that makes life really hard for users. And the guy who penned many of these rules, Bill Burr from NIST, says he screwed up.
Better yet, use a two-factor or multi-factor authentications system so the compromise of a user account doesn't mean you've given up the crown jewels.
Windows 10 Build 1903 follows the advice of NIST - the organisation that created the password rules many security policies are based on - in removing the scheduled expiration of passwords. Microsoft has been pushing for the death of passwords for a while now, saying we have better breach detection methods, and should use 2FA with devices such as the Yubikey.
We need to stop making security harder for users. And this move by Microsoft is a push in that direction.