Making passwords expire is an obsolete way of protecting user accounts – and may even be doing more harm that good. Not only do passwords that expire every 30 or 60 days create a headache for users who have to dream up a new one, and remember it, they may not improve security at all.
Now Microsoft has changed its stance, removing the recommendation that passwords should expire after a particular period that was previously part of its security guidelines for Windows 10 and Windows Server. Microsoft announced its intention to dump password expiry when the draft guidance was published, which my colleague Liam Tung wrote about.
As Microsoft explains: “Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.” It goes on: “Periodic password expiration is an ancient and obsolete mitigation of very low value.”
Rather than depend on users tweaking passwords (and then writing them on a post-it note) companies should have a broader approach to authentication and security, it says. And it’s not saying that we are not changing requirements for minimum password length, history, or complexity. Taking password expiry out of its baseline means that companies can make their own decisions without being penalised by auditors, the company said.
“By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines,” it said.
Microsoft has been predicting the death of the password for more than a decade, and recently has been ramping up its efforts to make that come true. It has long argued that passwords are inconvenient, insecure and expensive to businesses. It argues that they should be replaced with multi-form authentication and biometrics (although biometrics have their own issues, too).
Microsoft is hardly alone in making this leap. The UK’s National Cyber Security Center (NCSC) recently published a set of best practices for passwords – warning that a bad strategy for passwords that puts too much pressure on users can make your business less secure, not more.
“Inevitably, users will devise their own coping mechanisms to cope with ‘password overload’. This includes re-using the same password across different systems, using simple and predictable password creation strategies, or writing passwords down where they can be easily found,” it warns.
NCSC suggests that organisations reduce their reliance on passwords and use single sign-on or biometrics where available (although biometrics in particular come with their own risks). Monitoring password systems for unusual behaviour, using account throttling to defend against brute force attacks, and blacklisting common or guessable passwords are all good practice, it said. Multi-factor authentication for important or vulnerable accounts is good policy too.
But forcing regular password changes harms rather than improves security, it said. Users are likely to choose new passwords that are only minor variations of the old, and in any case a password that is stolen is generally used by hackers immediately, so resetting it up to 90 days later is rather a waste of time.
Despite security experts calling time on password expiration policies, it’s still common across many, if not most, organisations for passwords to expire after a relatively short period of time. Mostly that’s down to organisational inertia – there was a time when changing passwords regularly still seemed like a good idea, and the new approach hasn’t filtered down to the tech security team. There’s also a lot of caution around changing IT policies; nobody wants to be the one to change the status quo and then get blamed when it goes wrong.
But there are lots of companies that rely on an aggressive password expiry policy as pretty much their only defence against accounts being hijacked, whereas in reality security has to go well beyond that. At least for now, passwords still have their place, but making us all come up with new variations every few weeks may soon be a thing of the past.