Microsoft will no longer ask you to periodically change your Windows 10 password

Microsoft appears to have finally removed its 60-day password expiration policy from its Windows 10 security baseline, finally acknowledging the fact that people are just generally bad at creating, remembering and storing passwords. In a Security Guidance blog post that was published on 23 May, but missed everyone’s radar, Microsoft stated there are better ways to keep users secure. Microsoft principal consultant Aaron Margosis wrote, “Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.” [caption id=“attachment_6756981” align=“alignnone” width=“1280”] Microsoft is dropping password expiration policies from its Windows 10 Security Baseline.[/caption] What this essentially means is that organisations using Windows 10 won’t have to force users to change their passwords frequently. Microsoft no longer believes that forcing users to update their password is an effective substitute for actual account protection. But why? Well, “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem,” says Margosis. The point that Microsoft is trying to make here is that by constantly asking users to update their passwords, organisations are creating a less secure environment, as they are much more likely to choose an easy-to-remember password, write it down, or just forget it. All of this is done on the assumption of a threat which may not exist at all. Microsoft thinks that more effort should be put into other types of prevention. One such method, that it’s recommending to its business users, is that company IT departments feed any known compromised passwords into their system and remove the problematic ones this way. Any users that haven’t had their passwords stolen remain unaffected.