Microsoft admits that password expiration dates are pointless

Microsoft has finally admitted what we’ve always suspected for a long time: password expiration policies are both annoying and ineffective as a means of security.

You’ve probably had them before at some point: companies that insist you change your password every few weeks or months, theoretically to make security tighter. As former Federal Trade Commission chief technologist Lorrie Cranor wrote in 2016, this sometimes weakens security, because forcing users to change their passwords often only results in cosmetic switches: “Once an attacker knows a password, they are often able to guess the user’s next password fairly easily.”

Now Microsoft agrees. In a post revealing draft security baseline settings for Windows 10 version 1903, the company wrote that it was considering disabling this kind of behaviour by as the default in future.

When humans pick their own passwords, too often they are easy to guess or predict,” writes Microsoft’s Aaron Margosis. “When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”

Related: Best free antivirus software

Instead, Microsoft writes that banned password lists and multi-factor authentications are considerably better – although these are things Microsoft acknowledges it can’t include in the baseline.

Still, it makes the case against password-expiration policies pretty effectively:  “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit.

“Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.”

So the plan is to drop it from the security baseline, but Microsoft is looking for feedback. So, what do you think?

Are password-expiration policies a help or a hindrance for security? Let us know what you think on Twitter: @TrustedReviews.

Why we’re different

Unlike other sites, we thoroughly review everything we recommend. We use industry standard tests to evaluate products in order to assess them properly. We’ll always tell you what we find. Tell us what you think - send your emails to the Editor.