Microsoft looks set to eliminate periodic password expiration from Windows' security baseline, sticking another nail in the much maligned policy's coffin.
It’s the week before you’re off on holiday and work is winding down. Then you get a prompt: your password has expired, please choose a new one.
It’s hard to be creative in a pinch so you base the ‘new’ one on the old one, making a small, predictable alteration. And you know you’ll forget it, so you write the password down. Or perhaps you add the new password to an existing list of other passwords you have to remember. The inconvenience is fine though, because resetting our passwords keeps us safe doesn’t it?
Well, not according to Microsoft. The software giant has effectively dismissed the password reset rule as fake news. In a new draft piece of security guidance, Microsoft has changed its baseline rules for the next version of Windows 10 (the imminent May 2019 update). Under the proposed update, Microsoft will no longer recommend “password-expiration policies that require periodic password changes”.
Commenting on the proposed changes, Aaron Margosis, a cybersecurity consultant for Microsoft, labelled periodic password expiration as “an ancient and obsolete mitigation of very low value”.
“Periodic password expiration is a defence only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorised entity,” Margosis wrote.
“If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”
If anything, Microsoft is actually late to the party. The government has advised against periodic password resets since 2015. Password resets ignore the “usability costs” and inconvenience of resetting passwords.
Many password policies these days force us to create strong passwords with special characters in them. That makes them hard to remember and we end up with a laundry list of inscrutable passwords for every facet of our online lives.
This leads to weaknesses according to Stewart Twynham, an information security expert and AccountingWEB UK contributor. “Asking people to change their passwords on a regular basis makes it much harder for people to commit their passwords to memory,” Twynham said.
“As a result, people tend to write those passwords down and/or create passwords that are shorter and easier to remember - also making them easier to guess in a brute-force attack.”
Password resets also lead people to create a "sequence" of passwords, Twynham said. ”Peanuts22 becomes Peanuts23 three months later, and so on. If a previous password becomes compromised, it's easy to work out the next passwords in the chain - and even predict the future ones - thereby defeating the whole point of expiry in the first place.”
To be clear, this is just a proposed change, but it certainly seems like it will come into effect given that Microsoft has now clearly stated its position on the matter.
Any change won’t mean that Microsoft will prevent businesses from implementing a password expiration policy. Windows users can still run the policy if they wish, but it will no longer form part of the Windows security baseline. It's more for the convenience of organisations that don't want to have password resets. The baseline is often used in compliance audits and the removal means businesses won’t get pulled up for not having a password reset policy.
“By removing it from our baseline rather than recommending a particular value or no expiration,” Margosis wrote, “organisations can choose whatever best suits their perceived needs without contradicting our guidance.”
It seems like the end is finally nigh for the password reset. The unpopular policy was actually conjured up by just one guy: a fellow called Bill Burr, a former manager at the National Institute of Standards and Technology (NIST).
In 2003, Burr wrote one of the most influential documents you’ve never heard of: “NIST Special Publication 800-63. Appendix A.” The slim volume advised that passwords should include obscure characters, capital letters, numbers and, yes, that they should be changed regularly.
Speaking to the Wall Street Journal in 2017, Burr walked back his own advice. “Much of what I did I now regret,” Burr told The WSJ. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Reflecting on Microsoft’s change of heart, Twynham offers three takeaways for businesses:
-
“Don't enforce periodic password changes. Passwords should only be changed if there is suspicion of compromise or a potential for compromise eg following changes to staff.”
-
“Implement a password manager to give staff a single, easy way to manage their passwords at work.”
-
“Use two-factor authentication for all services where possible - this should be mandatory for all administration controls, financial and other critical systems.”
