Microsoft says expiring passwords are no longer secure

Windows 10 May 2019 update will stop forcing users to change passwords every few months

list of poor passwords on notepad

Microsoft will scrap its archaic password expiration policies in the upcoming Windows 10 May 2019 update to encourage organisations to implement more contemporary and effective security measures.

The update will apply to Windows 10 version 1903 and Windows Server version 1903 and to replace the time-based periodic password expirations, organisations should set up.

The company explained that if customers are required to change their password regularly, they are more likely to write down the passwords so they don't forget them and this could mean that others can quite easily get their hands on them, increasing the likelihood of them being stolen.

Microsoft also noted that if people are asked to change their passwords often, they probably will only make very small changes and thus they won't be particularly secure. They are also more likely to forget their passwords and will have to reset them, affecting user experience and loyalty.

Additionally, even if a password was stolen, the thief would still be able to use that password until the user is forced to change it. Windows requests that a password is changed every 42 days as default. However, it used to advise the change is made every 90 days.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Microsoft argued that password expiration is an out of date method of data protection and it no longer recommends such policies are enforced.

"Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication," Microsoft said in a blog post.

However the company hasn't proposed an alternative, neither has it actually rolled out the changes, meaning that Windows 10 users will at least for the near future still need to change their passwords frequently.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020