Last week, we gave you our tips for choosing a good password. To continue on the same theme and the importance of a good password, we present here our summary of a blog Microsoft was doing a few days ago on passwords with expiration dates and their security.
On Windows 10, the password is set to expire after 42 days. Not practical when you’re already having trouble remembering them. The company is abandoning this policy and explains their reasons in their Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903. Note that there is no question of changing the minimum criteria for password length, history and complexity.
Questionable utility
Microsoft admits that password expiration policies are useless. When a human chooses his or her own password, chances are it will be easy to find… or forget! For reasons explained at greater length in their article, they have chosen to abandon this practice. In short, if a company or individual has already set up additional security systems, password expiration is not really necessary. It is only useful to counter the likelihood of a user discovering and using the password during its validity period. What’s more, it’s difficult to establish the number of days a password is valid. Why 42 days? Why not 30, or 60?
The best protection
Microsoft points out that password security is a problem. The protection strategy for consumers (and businesses!) should not be limited to a good password. Double or multiple authentications and lists of banned passwords are more effective. They reiterate in their article that expiring password policies are an old and obsolete practice. Even if they can’t mention it in their reference database, they strongly recommend additional protections such as banned password lists, multi-factor authentication, a detection system for password discovery attempts and abnormal login attempts.
When should I change my password?
If your password hasn’t been “stolen”, there’s no reason to change it, even when it expires, unless you want to make it more complex. If you have reason to believe your password has been stolen, don’t wait until the expiry date to change it – do it now!
For tips on how to choose different, easy-to-remember and secure passwords for all your accounts, read our blog post “How to choose a good password“.