Go to ...

RSS Feed

Windows, Web and password security

A few months ago, my Win10.guru partner Ed wrote about Windows 10 version 1903 dropping password expiration policies:

MS tackles the change in policy in detail in the 1903 security baseline document, which is well worth reading through. Simply put, forcing frequent password changes on users often makes them pick weaker passwords than they otherwise might. The MS conclusion in this document is quite telling: “Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.” MS telemetry on policy compliance shows that few organizations do this anyway, apparently.

This morning, I got a reminder that local account passwords still do expire, see the featured image on top of this page. While hoping that Microsoft will soon change — or eliminate — this local account password expiration policy as well, I just set it never to expire in Local Users and Groups Manager (lusrmgr.msc):

By default, local account passwords expires in 42 days. An administrator can change the value for Maximum password age in the Local Security Policy Manager (secpol.msc):

But, if passwords never expire, how can you be sure you are safe? The answer is two-factor authentication (2FA) together with a strong password. In that post I mentioned earlier, Ed wrote about his policy:

I’ve switched over to a password manager that includes a strong password generator, and I let it worry about the details (and the remembering part).In fact, Kari and I are both big fans of two-factor authentication (2FA) using our always-around cellphones to get near-instantaneous text messages with ID strings to strengthen account/password logins whenever possible.

I guess some of you geeks think I am crazy or stupid, probably both, but risking that, I’ll tell you about my password system. First, as Ed mentioned, I couldn’t even think to use any online accounts without 2FA, if the service has it available. Not using 2FA with for instance email accounts is in my opinion extremely careless and stupid.

I use addresses as passwords, usually places like hotels or landmarks I have visited, but also home addresses for people important to me. This sounds complicated, but I can assure you it is extremely easy. I have used this “password protection” system for years, without any issues.

An example. Let’s say I need an additional Outlook.com account, and a good password for it. There’s a pub in London I have reasons to remember, in 44 Elizabeth Street, post / zip code SW1W 9PA.

My passwords always start with post / zip code, followed by the house / building number and street name. In addition, as this example is about a new Outlook.com account, I need to remember it has a 16 character limit for password.

I would now set the new email account’s password as SW1W9PA44Elizabe, 16 first characters from the address written in my way (zip, house #, street). I have an encrypted, password protected password list (Excel workbook) stored in OneDrive which is protected with 2FA. I would now add this account as Outlook 5 – London to that list (I have 4 Outlook.com email addresses already). Part of that list would look like this:

– Outlook 1 Isle of Skye 16
– Outlook 2 Oslo 16
– Outlook 3 Utsjoki 16
– Outlook 4 Carrara 16
– Outlook 5 London 16
– Gmail 1 Charleston FULL

The number after the city in the list reminds me of password length. As Gmail allows really long passwords, FULL in cities assigned to Gmail accounts means the password is the full address; for Outlook, the password in this example would be SW1W9PA44Elizabe, the same address used as Gmail password would be SW1W9PA44ElizabethStreet.

Note that cities in above list are naturally not the real ones I use!

OK, I now have a strong, long password with upper and lower case letters and digits. Together with 2FA, access to my accounts is as secured as possible.

I have no issues in remembering the people, places or landmarks I associate with each city, they are all important to me. I only use one city for one password, so even if I forgot the password to this sample Outlook 5 account, I would check my encrypted list, see the password hint is London. Remembering the place in London I used for password, I could now use Bing to find their address and be able to sign in.

Worst case scenario: someone gets access to my password list. I really think I would be safe, even then. First, the intruder should know full email address of for instance “Outlook 4” account in list. Second, the intruder must guess which address in Carrara I have used for password. For me easy, for an intruder almost impossible.

I feel safe, I have no reason to let my passwords expire. Given your own “unforgettable” scheme for devising and remembering passwords, you could do likewise.


Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

Leave a Reply