Although as part of security measures, in the past, Microsoft would advise to configure password-expiration policies, a new security baseline draft for Windows Server and Windows 10 version 1903, the company reveals that forcing users to change their passwords is an “ancient and obsolete mitigation of very low value.”
This is not to say that Microsoft is dropping its password-expiration policies on all its software and services, but the new security baseline makes it clear that security has changed throughout the years, and expiring passwords is no longer a top priority.
In a new article at the Microsoft Security Guidance blog, the company explains, if a password never gets compromised, then it’s no need to expire it to force the user to change it. On the other hand, if a password gets compromised, there’s no point to wait until it expires, because you want to change that password immediately.
Furthermore, periodically expiring a password has its caveats. For instance, it makes easier for users to forget their password, and pushes users to write down the password in the back of the keyboard or on a sticky note.
Microsoft also says: “if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.”
Also, in the new security baseline draft, the company acknowledges that password security is an ongoing problem, but banning certain passwords, using multi-factor authentication, efficiently detecting password-guessing attacks and anomalous login attempts are more effective measure to keep the network and data secure.
Starting with the May 2019 Update for Windows 10 and Windows Server, Microsoft is planning to stop using password-expiration policies from its baseline, but the policies for complexity, history, length and other requirements for setting up a password will remain.