tech2 News StaffJun 04, 2019 21:46:43 IST
Microsoft appears to have finally removed its 60-day password expiration policy from its Windows 10 security baseline, finally acknowledging the fact that people are just generally bad at creating, remembering and storing passwords.
In a Security Guidance blog post that was published on 23 May, but missed everyone's radar, Microsoft stated there are better ways to keep users secure.
Microsoft principal consultant Aaron Margosis wrote, "Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value."
What this essentially means is that organisations using Windows 10 won’t have to force users to change their passwords frequently.
Microsoft no longer believes that forcing users to update their password is an effective substitute for actual account protection.
Well, "If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem," says Margosis.
The point that Microsoft is trying to make here is that by constantly asking users to update their passwords, organisations are creating a less secure environment, as they are much more likely to choose an easy-to-remember password, write it down, or just forget it. All of this is done on the assumption of a threat which may not exist at all.
Microsoft thinks that more effort should be put into other types of prevention. One such method, that it’s recommending to its business users, is that company IT departments feed any known compromised passwords into their system and remove the problematic ones this way. Any users that haven’t had their passwords stolen remain unaffected.
Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.