Ask a bunch of security professionals what makes a secure password and you’ll get a bunch of different answers. Some will argue that it’s all about length, others that randomness and complexity are king while everyone will agree that password reuse is never acceptable.
Some will still argue that giving passwords an expiry date, after which they must be changed, is an essential part of the business security policy picture. It would appear that, with the arrival of the Windows 10 May update, Microsoft is finally no longer going to be amongst that latter group. According to Aaron Margosis, a principal consultant with Microsoft, Windows 10 will no longer recommend “ancient and obsolete” periodic password expiration in the security baseline settings starting with the May update.
While being most welcome, it has to be said nobody I have spoken to in the information security business saw that coming. Not least as the arguments for password expiration have been comprehensively dismantled for some years now yet Microsoft has not shown any inclination to jump from this particular sinking security ship.
The security baseline configuration has been part of the Windows staple diet for organizations wanting secure operating system settings out of the box for many years. It is actually a whole set of system policies that make good sense as a starting point for secure postures for many and as the default positioning for some. Things become problematic for organizations when they undergo an audit which uses the Microsoft security baseline and penalizes them for non-compliance if they have something other than the current 60 day Windows password expiration default maximum.
Yet, as Margosis writes “recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists and multi-factor authentication.”
The United States National Institute for Standards and Technology (NIST) has been recommending password expiration is dropped from security policy since 2016. Now it seems that Microsoft has finally caught up and will be dropping the requirement starting from Windows 10 (1903) and Windows Server (1903) onward. This makes perfect sense to me as someone who has been following information security trends for the best part of three decades.
Things have changed over those years, not least the technology that now enables threat actors to crack simplistic passwords in the blink of an eye. Forcing users to change passwords over relatively short timeframes inevitably leads to those users choosing the simplest, and therefore most memorable, passwords possible. Stand up everyone who has never seen incremental numbering of short passwords in a corporate environment. I’m guessing everyone is still sitting down.
The days of simplistic passwords changed often are long gone, replaced by longer and more complex ones which don’t expire but rather are reinforced with those banned password lists and multifactor authentication for example. “While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines,” Margosis says “which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.” What Microsoft isn’t doing is changing baseline requirements for minimum password length, history, or complexity.
It also isn’t stopping organizations from configuring password expiration if they must, for regulatory compliance reasons for example. “The password-expiration security option is still in Windows and will remain there,” Margosis says, adding “by removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance.”