1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Windows 10 is getting rid of its password expiration policy, admits it's ineffective

By midian182 · 10 replies
Apr 25, 2019
Post New Reply
  1. Microsoft has outlined the new security settings that will apply to Windows 10 version 1903 and Windows Server version 1903. “When humans pick their own passwords, too often they are easy to guess or predict,” writes Microsoft’s Aaron Margosis. “When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”

    Margosis says there are better alternatives to password expiration policies, including banned-password lists and multi-factor authentication, but Microsoft cannot enforce these with its recommended security configuration baselines.

    One of the main problems is that password expirations only protect users when a password has been stolen. If this does happen, most people will quickly realize and do something about it straight away, rather than wait up to 42 days before being made to change the password.

    “…forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit,” added Margosis.

    Other password policies such as requiring a minimum length and a combination of letters, numbers, and symbols will remain.

    It was revealed earlier this week that millions of people still use 123456 as their password.

    Permalink to story.

  2. m4a4

    m4a4 TS Evangelist Posts: 1,460   +1,035

    And with that, I repost this:
    Zorak, madboyv1 and wiyosaya like this.
  3. wiyosaya

    wiyosaya TS Evangelist Posts: 3,998   +2,295

    (y) (Y)

    Its about time. M$ finally admitting they are not always right - that, in and of itself, is amazing.

    Getting rid of the expiration policy is a great first step, but adopting the rest of the revised rules will be even better.
  4. Jeff Re

    Jeff Re TS Addict Posts: 151   +115

    Good luck getting companies to comply.
  5. fps4ever

    fps4ever TS Evangelist Posts: 305   +301

    You HAVE to change your passwords every XX days for companies that need to be PCI compliance.
  6. thanos999

    thanos999 TS Rookie

    Only ever hade 1 password never hade to change it once in 15 years
    wiyosaya likes this.
  7. wiyosaya

    wiyosaya TS Evangelist Posts: 3,998   +2,295

    m4a4 likes this.
  8. fps4ever

    fps4ever TS Evangelist Posts: 305   +301

    The whole compliance process is so convoluted and such a complicated mess that most companies pencil whip their pci compliance. That is the reason everybody gets hacked and the majority of them tell you they were complaint but were actually not. There have been several high profile security breaches due to admin accounts never changing their passwords so it took months/years to catch it. I'd take anything Microsoft says about security with a grain of salt. Guess who had influence with the PCI standards group...NITS. Security practices change with the wind.
  9. Adhmuz

    Adhmuz TechSpot Paladin Posts: 1,924   +712

    Password expiration can simply be disabled, I don't understand what the big deal is...
  10. Raytrace3D

    Raytrace3D TS Addict Posts: 110   +109

    correct horse battery staple
  11. Sergey Novikov

    Sergey Novikov TS Member Posts: 19   +10


    Many years I've been talking about it!

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...