Microsoft Drops 60-Day Password Expiration Policy

Microsoft is dropping its 60-day password expiration policy starting with the Windows 10 May 2019 Update. “Once removed, the preset password expiration settings should be replaced by organizations with more modern and better password-security practices such as multi-factor authentication, detection of password-guessing attacks, detection of anomalous log on attempts, and the enforcement of banned passwords lists (such as Azure AD’s password protection currently available in public preview),” reports Bleeping Computer. From the report: Microsoft’s Aaron Margosis states that the password expiration mechanism which requires periodic password changes is in itself a flawed defense method given that, once a password is stolen, mitigation measures should be taken immediately instead of waiting for it to expire as per the set expiration policy. In addition, the soon to be removed policies are “a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity.”

The removal of the password-expiration policies without the addition of other password-oriented security configurations does not directly translate into a decrease in security but, instead, it simply stands as proof that security-conscious organizations need to implement extra measures to enforce their users’ security. As Microsoft further detailed, “to try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies — we are not proposing changing requirements for minimum password length, history, or complexity.”