Technology
Microsoft realizes password expiration is poor security
Image: Drew Angerer/Getty Images
Follow @https://twitter.com/PCMag
PCMag.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.
Thinking of a secure password is hard, so demanding a user change it every 60 days fills many with dread and leads to weaker security. Microsoft has realized this and decided to remove default password expiry as a security baseline feature in Windows 10.
When organizations deploy Windows 10 to tens, hundreds, or even thousands of employees, default security out the box is very important. That’s why Microsoft provides Windows security baselines, which consist of a group of Microsoft-recommended configuration settings that can be relied upon to provide a more secure operating system.
As part of the baseline, Microsoft in the past stipulated a 60-day password expiration policy, which meant every user was forced to change their password every couple of months (unless an organization changed the configuration). As Ars Technica reports, with the release of Windows 10 v1903, password expiration is being dropped from the baseline because it’s actually detrimental to security.
Microsoft explains in its latest draft security baseline for Windows that, “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords … Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it.”
Microsoft also points out that if a password is stolen, the thief has up to 60 days to use it based on this expiration policy, which is ample time to gain entry to a system and cause chaos. So on every level, password expiration simply doesn’t work, which is why it’s disappearing.
Passwords still need to meet a minimum length requirement, be complex enough so as not to be easily guessed, not have been used before, and stored securely. It may still be the case that individual organizations enforce their own expiration policy, but it seems likely the demand for a new password every few months will impact far fewer workers going forward, and that’s a good thing for both their sanity and security.
This article originally published at PCMag
here
Zomato’s quick commerce unit Blinkit eclipses core food business in value, says Goldman Sachs
Monsta X’s I.M on making music, gaming, and being called ‘zaddy’
Petlibro’s new smart refrigerated wet food feeder is what your cat deserves
The books on your favorite creators’ TBR shelf
Xaira, an AI drug discovery startup, launches with a massive $1B, says it’s ‘ready’ to start developing drugs
Rabbit R1 hands-on review: Something is iffy about this
UK probes Amazon and Microsoft over AI partnerships with Mistral, Anthropic, and Inflection
‘Shōgun’ co-creators break down the finale: ‘It’s a story about death’
Tesla’s new growth plan is centered around mysterious cheaper models
Tesla’s in trouble. Is Elon Musk the problem?
API startup Noname Security nears $500M deal to sell itself to Akamai
US think tank Heritage Foundation hit by cyberattack
NASA discovered bacteria that wouldn’t die. Now it’s boosting sunscreen.
How to watch ‘Argylle’: When and where is it streaming?
Tesla drops prices, Meta confirms Llama 3 release, and Apple allows emulators in the App Store
Tesla layoffs hit high performers, some departments slashed, sources say
TechCrunch Mobility: Cruise robotaxis return and Ford’s BlueCruise comes under scrutiny
Meta to close Threads in Turkey to comply with injunction prohibiting data-sharing with Instagram
Former top SpaceX exec Tom Ochinero sets up new VC firm, filings reveal
Consumer Financial Protection Bureau fines BloomTech for false claims
Zomato’s quick commerce unit Blinkit eclipses core food business in value, says Goldman Sachs
Monsta X’s I.M on making music, gaming, and being called ‘zaddy’
Petlibro’s new smart refrigerated wet food feeder is what your cat deserves
The books on your favorite creators’ TBR shelf
Xaira, an AI drug discovery startup, launches with a massive $1B, says it’s ‘ready’ to start developing drugs
Rabbit R1 hands-on review: Something is iffy about this
UK probes Amazon and Microsoft over AI partnerships with Mistral, Anthropic, and Inflection
‘Shōgun’ co-creators break down the finale: ‘It’s a story about death’
Tesla’s new growth plan is centered around mysterious cheaper models
Tesla’s in trouble. Is Elon Musk the problem?
-
Business7 days agoLangdock raises $3M with General Catalyst to help businesses avoid vendor lock-in with LLMs
-
Entertainment6 days agoWhat Robert Durst did: Everything to know ahead of ‘The Jinx: Part 2’
-
Entertainment6 days agoThis nova is on the verge of exploding. You could see it any day now.
-
Business6 days agoIndia’s election overshadowed by the rise of online misinformation
-
Business5 days agoThis camera trades pictures for AI poetry
-
Business6 days agoCesiumAstro claims former exec spilled trade secrets to upstart competitor AnySignal
-
Business4 days agoTikTok Shop expands its secondhand luxury fashion offering to the UK
-
Business5 days agoBoston Dynamics unveils a new robot, controversy over MKBHD, and layoffs at Tesla
