Since forever, MS has enabled security & privacy policies for passwords that include password expirations. I remember this stuff from the NT 4 days, circa 1994, when I was writing training materials about admin topics for the MCSE exams. You can read about this ancient and soon-to-be-defunct stuff at MS Docs: Set the password expiration policy for your organization. In a draft security baseline document published April 24, 2019, MS reports that 1903 drops password expiration policies. Why so? This Tip block from the afore-linked MS Docs items offers a pretty good explanation:
Good advice from MS is a long time coming.
[Click image for full-sized view.]
Why This? Why Now?
MS tackles the change in policy in detail in the 1903 security baseline document, which is well worth reading through. Simply put, forcing frequent password changes on users often makes them pick weaker passwords than they otherwise might. Myself, I’ve switched over to a password manager that includes a strong password generator, and I let it worry about the details (and the remembering part). The MS conclusion in this document is quite telling: “Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.” MS telemetry on policy compliance shows that few organizations do this anyway, apparently.
In fact, Kari and I are both big fans of two-factor authentication (2FA) using our always-around cellphones to get near-instantaneous text messages with ID strings to strengthen account/password logins whenever possible. Given the ubiquity of smartphones, and the speed and ease of using 2FA systems to take advantage, it’s simply silly not to make this part and parcel of modern, effective security regimes. Nevertheless, I was interested and a little bit saddened to see this ancient bit of Windows history fall by the wayside. So long, password expiration policies! I don’t think you’ll be missed.
Author: Ed Tittel
Ed Tittel is a 30-plus-year computer industry veteran. He’s a Princeton and multiple University of Texas graduate who’s worked in IT since 1981 when he started his first programming job. Over the past three decades he’s also worked as a manager, technical evangelist, consultant, trainer, and an expert witness. See his professional bio for all the details.