Users who hate having to change their Windows passwords every 60 days can rejoice: Microsoft now agrees that there is no point to forced password changes and will be removing that recommendation from its security recommendations.
Microsoft dropped the password-expiration policy in the latest draft version of the security configuration baseline settings for Windows 10 (v1903) and Windows Server (v1903), calling the practice “an ancient and obsolete mitigation of very low value.” According to the draft document, Microsoft will no longer recommend that accounts controlled by the network’s group policy have a policy to require users to change their passwords periodically. Microsoft is finally telling Windows administrators there are better ways to protect systems and networks than forcing users to pick new passwords every few weeks or months.
“We are talking here only about removing password-expiration policies–we are not proposing changing requirements for minimum password length, history, or complexity," wrote Aaron Margosis, a principal consultant with Microsoft Public Sector Services.
Microsoft had the baseline to prompt users to change their passwords every 60 days—down from the original 90 days—and Margosis wondered whether that time interval made sense. Password expiration policies protect enterprises only in situations when passwords or password hashes are stolen and can be used to gain unauthorized access into the network, Margosis said. That means the interval was too long, since if the password/hash was stolen, the administrator would want the user to change it immediately and not wait for the password to expire. Making the interval shorter to force password changes more frequently would introduce more problems, since users tend to make “small and predictable alteration to their existing password,” making them guessable. And if it wasn’t stolen, then it doesn’t need to be changed to be changed at all.
“Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you,” Margosis said.
Microsoft's policy change is in line with NIST, which removed references to periodic password changes in its password guidance back in 2017. An attacker who already knows the user’s password is likely to be able to guess the user’s next password, former Federal Trade Commission chief technologist Lorrie Cranor wrote in 2016.
The document provides security templates that organizations can use to limit certain featues and services to protect Windows systems and networks from attacks. The baselines provide administrators with a solid security foundation, but they should not be considered to be “a complete security strategy” Margosis said. Administrators still need to consider other layers of protection to make sure their networks are protected.
Need Additional Protections
The document provides security templates that organizations can use to limit certain featues and services to protect Windows systems and networks from attacks. The baselines provide administrators with a solid security foundation, but they should not be considered to be “a complete security strategy” Margosis said. Administrators still need to consider other layers of protection to make sure their networks are protected.
Instead of regularly changing passwords, Microsoft’s draft “strongly recommends” using strong, long, and unique passwords and “additional protections” such as detecting password-guessing attacks and anomalous log on attempts. Microsoft will also encourage multi-factor authentication and enforcement of banned password lists—Microsoft Entra ID’s Password Protection recently reached "general availability" status and is available—but these recommendations will not be included in the baseline.
"While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values," Margosis said.
Right now, it’s only the baseline that is being changed. Administrators can continue to enforce periodic changes if that matches their security requirements. Organizations can still “choose whatever best suits their perceived needs without contradicting our guidance,” Margosis said.
Password spraying, where attackers try passwords to see if any of the users have the same password, is an effective technique. Checking user passwords against a list with commonly used words and already-compromised passwords and blocking them from using those passwords would improve account security tremendously. Microsoft already maintains a global banned password with over a million variations of the most frequently used passwords for all Azure customers. Organizations can customize the global list with Microsoft Entra ID's Password Protection feature. Enterprises with on-premises Windows Server Active Directory can get the password protection feature by installing the appropriate agents.
One point about Password Protection: it is currently a paid feature for Microsoft Entra ID and available only with the Azure AD Premium 1 license. Azure customers without the premium license still have access to the global list but administrators managing on-premises infrastructure don't get any of the benefits.
Password Protection should cover all tiers, and free, wrote Twitter user SwifttOnSecurity. Att the moment, administrators managing on-premises infrastructure don't get any of the benefits of Microsoft's banned password lists.
"The password shouldn’t matter, but it does. It does matter. And it matters to many organizations, especially the most impoverished. They need an easy win, and Microsoft should provide it," SwiftOnSecurity said.