Microsoft: mandatory password change process is “ancient and obsolete”

Tech giant Microsoft has come out to say that, as we might all have suspected, mandatory password changes in the workplace could be doing more harm than good.

The post, which slipped under the radar until Arts Technica picked it up, said that it would be ditching its recommendation for passwords to be changed regularly as part of its baseline security settings.

It’s an about-turn for the company which has previously spent decades suggesting people mix it up on the password front fairly regularly. Perhaps aware that their suggestions have led to a lot of instances of “password17” and “Summer2019” credentials, Microsoft employee Aaron Margosis says in the post that the suggestion to change your passwords is an “ancient and obsolete mitigation of very low value.”

Related: Best VPN

Which fits, all things considered. The common thought process around passwords now is less about making them easy for you to remember, and more about creating a long string of random characters, unique to each place. This is more secure, generally, and harder for malicious actors to crack. If you have to change it every three months, the thinking is that users will opt for something easier to remember, seeing as it is subject to change.

Microsoft isn’t the first person to warn against this, but they’re one of the biggest tech companies to plant a flag on the “mandated password changes are bad” hill.

Related: Best Desktop PC

This all goes out of the window if there’s actually a security breach: in that case, everyone involved should change their password. However, when it comes to issuing a new password because of the passing of time… you can skip that. It’s okay, Microsoft says so.

You can read Microsoft’s thoughts on the matter, penned by Margosis, including some best practices on good passwords.