Skip to main content
close search
site logo
Dive Brief

Microsoft nixes 60-day password reset policy

Published April 26, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter

Dive Brief:

  • Microsoft is dropping its password expiration policies for Windows version 1903 and Windows Server version 1903, according to its security configuration baseline settings, first spotted by Ars Technica
  • The policy originally required users to reset passwords every 60 days. The requirements for length, history and complexity of passwords are still in effect.
  • Microsoft highlighted studies proving password resets are not as effective as once believed and suggests "enforcing banned-password lists" and multi-factor authentication are better alternatives.

Dive Insight:

Microsoft's password reset policy was a staple for users, though according to Microsoft, an "ancient" one. Having a routine password refresh is "a defense only against the probability that a password will be stolen" during the time it's active, according to the announcement.

If a password isn't stolen, changing it doesn't add to the existing security posture.

Initially, the logic behind frequent password resets was obvious: Human-created passwords are easy for hackers to guess or predict. So no matter the frequency of password changes, it is not a complete security strategy for user credential management, argues Microsoft.

Passwords aren't going anywherethere will just be newer standards. Organizations are also leaning toward the passwordless movement, with the introduction of biometrics and geographic identifiers making it harder for hackers to compromise behavioral analysis.  

Weak passwords are an Achilles heel with users opting for easy-to-remember passwords like "123456" and "password." Such passwords contribute to the 300 billion passwords that are at risk of compromise by 2020, which could add up to $6 trillion in damages by 2021.

"Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards," according to Microsoft. The elimination of the 60-day requirement is a push toward a more effective security strategy.

Recycling passwords is a common practice, which makes Microsoft's policy less effective. Businesses could bypass password-related incidents with encrypted databases, routine patch deployments and avoiding log-ins on public networks.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell