Password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorised use.
So says Microsoft in a recent blog post, part of a larger release of draft security configuration baseline settings for Windows 10 version 1903.
The IT firm stressed that it was talking about removing password-expiration policies – not proposing changing requirements for minimum password length, history, or complexity. The company does strongly recommend additional protections.
“Our baselines are intended to be usable with minimal if any modification by most well-managed, security-conscious enterprises. They are also intended to serve as guidance for auditors. So, what should the recommended expiration period be? If an organisation has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?”
Comment
Rachael Stockton, Senior Director Product Marketing, LastPass by LogMeIn, said the cyber security product firm had long advised against too frequent password changes, so was pleased to see Microsoft’s new proposal to eliminate its password expiration policy.
“Security doesn’t have to create more hurdles for employees. For years, security professionals have recommended changing passwords every 30, 60 or 90 days and in offices worldwide, IT policies require employees to change their passwords on a regular basis. If you’re like most people and have nearly 200 accounts to keep track of, changing them every month or quarter just isn’t realistic.
“Such strict corporate policies also tend to lead to employees reusing passwords or making them as memorable as possible, leaving them more vulnerable to a hack. That doesn’t mean people should never change their passwords. Especially if multi-factor authentication is not enabled, people should aim to update passwords at least once a year as a precautionary measure to prevent unauthorised access, and of course if their credentials were involved in a 3rd party breach.
“The most secure passwords are long and randomly generated, which can still be difficult to create and remember. Using a password manager kills two birds with one stone, as they can be used to both generate and store passwords in a secure vault, where they’re organised and encrypted for safekeeping. LastPass even offers an automatic password change feature to save time and effort when it’s necessary to do so.”
