Microsoft is considering dropping its Windows password expiration policy

NelsonG · April 24, 2019

Microsoft has proposed scrapping a policy in Windows that requires users to periodically change their login password.

In a blog post, the software giant said its new draft security configuration baseline settings would no longer force users whose accounts are controlled by a network’s group policy to change their passwords every few weeks or months.

Microsoft’s draft security baseline documents includes recommended policies that affect entire groups of users on a corporate network, including rules that limit certain features and services to prevent misuse or abuse, as well as locking down certain functions that could be used by malware to attack the system or network.

The company said that the existing password change policy is an “ancient and obsolete mitigation of very low value,” and the company doesn’t “believe it’s worthwhile” any longer.

Here’s what Microsoft’s Aaron Margosis said:

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.

By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.

In other words, Microsoft wants to put a premium on using strong, long, and unique passwords and not on regularly changing them.

Not only does changing passwords every few weeks or months frustrate the regular user, it’s been suggested that it actively do more harm than good. Former Federal Trade Commission chief technologist Lorrie Cranor said in a 2016-dated blog post that forcing users to change their passwords every so often can result in weaker passwords.

“Researchers also point out that an attacker who already knows a user’s password is unlikely to be thwarted by a password change,” she wrote. “Once an attacker knows a password, they are often able to guess the user’s next password fairly easily.”

Not long after, the National Institute of Standards and Technology (NIST), which advises the federal government on cybersecurity practices and policies, revised its own advice to remove policies that mandate periodic password changes.

Bill Burr, the since-retired NIST manager who developed the 2003-dated policy that recommended password expiration policies, expressed regret in a 2017 interview about the policy, saying the rule “actually had a negative impact on usability.”

Although Microsoft’s proposals are still in draft, if passed they could be rolled out in Windows 10’s May Update, expected next month.