How many times have you logged into your Microsoft Exchange or Microsoft Office 365 account only to see a message that warns you about the impending password expiry for the account, and urging you to change it? As it turns out, Microsoft has admitted that these policies are pretty much “an ancient and obsolete mitigation of very low value”. In an official post detailing the draft security baseline for Windows 10 v1903 and Windows Server v1903, the tech giant makes its views very clear—expiring passwords are no good.
There really are no scenarios in which an expiring password does absolutely any good. If the password for your online account isn’t stolen or compromised, it doesn’t need to be changed. If it is stolen or compromised, it needs to be changed immediately and you shouldn’t wait for the actual password expiration date to loom large before you do the needful.
Then there is another problem—the human memory. “When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use,” says Microsoft.
Microsoft is proposing to drop the password expiration policy for Windows 10 v1903 and Windows Server v1903, but insists that users keep using strong passwords and any available additional protections to keep their data safe.