Microsoft to remove password expiration policy in Windows 10 1903

Infosec_SamInfosec_Sam Admin Posts: 527 Admin
So Microsoft will be removing the password expiration policy in the 1903 May update, opting instead to simply urge users to use "more modern and better password-security practices such as multi-factor authentication, detection of password-guessing attacks, detection of anomalous log on attempts, and the enforcement of banned passwords lists." 


What do you think? Is this maybe unnecessary, or is a change like this needed to force the industry in the right direction? I'm on the fence about it, but I think it's ultimately the right move. Like they say in the article, password expiration is becoming more and more obsolete, and just causes people to use similar passwords in order to remember them.

Community Manager at Infosec!
Who we are | What we do


  • Options
    Swift6Swift6 Member Posts: 268 ■■■■□□□□□□
    There are pros and cons to this.
    On one hand, some people use the same password for all their logins. Higher risk of compromise.
    On the other hand, too complex password requirements and short expiry, people end up writing them down on easy to find places.

    It can also be argued that some admins choose to disable password expiration altogether. Makes no difference in these cases.
  • Options
    cyberguyprcyberguypr Mod Posts: 6,928 Mod
    I like it, especially since is in line with the new NIST guidance. Of course, this could be problematic if the mitigating aspects are ignored:
    - MFA
    - Checks against and blacklisting know "bad" passwords (too easy + exposed in previous breaches)
    - Some sort of password strength meter (although it could be subjective depending on implementation)
    - Rate limiting (captchas, et. al.)
    - Allowing paste from password managers
    - Forcing pwd change if there's high confidence of compromise 
    - etc.

    In reality, we'll be back at square zero where mature companies will do the right thing and many others will not care. I just saw the example the other day of a bank prohibiting copy/paste of pwd in their web apps because "it's the most secure thing to do". 
  • Options
    Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    I seriously hate when companies don't allow my to copy from my password manager. It forces me to add easy to remember and type passwords in place of the long complicated nonsense that I was attempting to use!
  • Options
    Infosec_SamInfosec_Sam Admin Posts: 527 Admin
    Oh, I love me some copy/pasting from password managers. To get around the paste prevention, I guess KeePass has a feature that simulates keystrokes instead of pasting, so that should work until companies find a new "most secure thing to do!"
    Community Manager at Infosec!
    Who we are | What we do
  • Options
    LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    MS states this will help reduce confusion, and I think it's the opposite.

    For those pointing to NIST documentation a few years ago about Digital Identity, nothing in that document suggests they are talking about AD/LDAP types of solutions for enterprises. The language is entirely slanted towards identity as it relates to digital transactions on the Internet through not-internal services.

    I get what MS wants to do, but they assume way too much about the state of enterprise security, and they even say as much in their update. I don't know of many companies that should be satisfied in their ability to know when an account is compromised or that an account's compromise is imminent. What they describe should be the controls you can put into place to not care about this setting nearly as much, but the default should still be to set it and check against it. It's all about reducing the amount of time an unknown account has been compromised. I see nothing about password expiration being obsolete other than users hate the inconvenience.

    When this deals with only personal data, such as your account into Spotify, that's fine. But impact extends beyond just personal impact when those accounts are enterprise accounts with enterprise types of access to data beyond just theirs. It becomes company risk and even customer/constituent risk depending on the target. MFA is probably the biggest help in this topic, but then we're asking users to input/possess tokens on their person/smartphone...

    I also think people writing down passwords happened 10 years ago. Some people still do, but I think most probably just change the last 1 or 2 characters each time. As someone who does desk searches for compliance, I don't see this nearly as much as in the past. I think it's possibly more common for Desktop Support to ask for passwords to do work on systems over lunch periods, which is a form of account compromise (and usually against policy as well). That also should have been eliminated 10 years ago with modern help desk tools,but not everyone is bigger than an SMB...

    Just goes back to the never-ending spectrum of convenience vs security.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • Options
    jeremy_dfirjeremy_dfir Member Posts: 23 ■■■□□□□□□□
    Microsoft's mobile authenticator is included in their bug bounty program, which is something....
Sign In or Register to comment.