Your password is one of the most important tools you have in your digital security toolbox. Without a strong and secret password, our online accounts, memberships, and subscriptions could end up wide open to cyber-criminals and hackers. As more and more of our lives move online this becomes increasingly more important.
A good password should be long, complex, and not include any recognizable data from your life. For a long time, however, there has been another recognized security requirement that we’ve been forced to adhere to when it comes to our passwords; expiration and renewal. At regular intervals, we’re reminded that our current password will expire soon, and we need to choose a new one.
Without too much thinking, it is easy to see why this might seem like the most secure course of action. If you keep mixing it up, your account will stay secure even if your password falls into the wrong hands. When you add expiration and renewal to password length, complexity, and independence from any past passwords, however, it proves to be a regular annoyance to everyday users. Having to come up with a unique password that contains a lot of different characters of all types every six months is more difficult than it sounds. It often leads to the wrong password being entered time and again in the first few weeks following the renewal or, even worse, passwords being written down.
The good news is that this regular pain may soon be about to change thanks to a new security blog post from Microsoft. The better news is that Microsoft deciding to remove expiration and renewal from all its password security protocols won’t compromise your digital security.
Microsoft now believes password expiration and renewal policies are useless
According to the Microsoft blog, recent scientific research has been shedding new light onto password policies and, in particular, expiration and renewal. There is little value in constantly forcing users to change their passwords as, “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”
Microsoft goes even further in its dissection of expiration protocols because when you look at the practice in greater detail, it really does begin to fall apart. “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.” Simply put, why change a password if it hasn’t been breached, and if it has, why would you wait until the expiration period is up to change it, and not just do it immediately?
So, Microsoft has laid out its new ideas on password expiration. The blog post goes further, however, and states that the software giant has removed the practice from its security baseline for Windows 10 v1903 and Windows Server v1903. This means, in practice, the change won’t affect too many people, but it gives network administrators the ability to remove password expiration from their office systems. If you have to update your expired passwords in work, you might already be on your last ever password.