Microsoft has finally decided to get rid of password expiration policies in Windows because forcing people to reset their passwords periodically harms security.
Word arrived from Redmond via Wednesday's draft release of the security configuration baseline settings for Windows 10 version 1903. The release, available as a zipped download of spreadsheets, configuration files, and other documents, includes a variety of changes to the foundational security settings from the previous versions of Windows 10 and Windows Server 2019.
The draft changes include tweaks like adding an App Privacy setting that prevents users from interacting with applications using speech when the system is locked. Microsoft is also dropping specific BitLocker drive encryption method and cipher strength settings, which had required 256-bit encryption and will now default to 128-bit, because "our crypto experts tell us that there is no known danger of its being broken in the foreseeable future."
Finally, some password sense
But the most welcome Windows change is likely to be abandoning periodic password resets, a requirement that annoys just about everyone. To explain its shift, Microsoft cites recent research that casts doubt on the efficacy of password expiration policies.
The cloud-and-bits biz may be referring to a 2010 study from researchers from the University of North Carolina at Chapel Hill which showed that password expiration policies lead to weaker security because new passwords tends to be based on old ones.
The study also demonstrated that human-chosen passwords are typically too weak to survive brute force cracking attacks. But that's a separate issue about the general inadequacy of passwords, one that has only recently begun to be addressed through hardware authentication keys.
King's College London internal memo cops to account 'compromise' as uni resets passwordsREAD MORE
In any event, Microsoft has finally recognized that password expiration policies do more harm than good.
"When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords," explains Aaron Margosis, principal consultant with Microsoft's cybersecurity group, in a post to Microsoft's Security Guidance blog.
That's not to say Microsoft will prevent companies from implementing a password expiration policy. Windows customers can still do so, pointless and irritating though that may be. But by removing password expiration from the Windows baseline, compliance audits will no longer flag deviations from the expected baseline.
"Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value," said Margosis.
"By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance." ®