With the growing sophistication of cybercriminals, passwords have become an increasingly inefficient way to protect systems and content. Microsoft is taking steps to remove passwords and has removed a particularly annoying feature from Windows 10.
I am talking about mandatory periodic password changes, a Windows 10 feature that caused more harm than good. With the introduction of Windows 10 version 1903 (May 2019 Update) next month, the baseline settings will be dropped.
“Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value,” says Aaron Margosis, a Microsoft principal consultant.
Under the new terms, customers will be able to select a date when their password expires, or indeed choose not to have an expiry date. In a blog post, Margosis explains says that while the protection the tool provided was limited, it did also caused too many issues that could compromise security.
“When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.”
While mandatory password updates are being removed, Windows 10 version 1903 will continue with basic password requirements. So, there will be no changes to not being allowed to use an historic password or the complexity and length of passwords.
Margosis points to problems with the current system for mandatory password updates. He says these contradictions make the baseline pointless. Under current guidelines, Windows asks organizations to update passwords ever 42 days.
“If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time?” asks Margosis.