In many IT systems, there is a mandatory rule for periodically changing passwords. This is perhaps the most hated and most useless requirement of security systems. Some users simply change the number at the end as a life hack.

This practice caused a lot of inconvenience. However, people had to endure, because it for the sake of safety. Now this advice is completely irrelevant. In May 2019, even Microsoft finally removed the requirement to periodically change passwords from the baseline security requirements for personal and server versions of Windows 10: here official blog post with a list of changes to Windows 10 v 1903 (note the phrase Dropping the password-expiration policies that require periodic password changes). The rules themselves and system policies Windows 10 Version 1903 and Windows Server 2019 Security Baseline included in the kit Microsoft Security Compliance Toolkit 1.0.

You can show these documents to your superiors and say: times have changed. Mandatory change of passwords is archaism, now almost officially. Even a security audit will no longer check this requirement (if it focuses on the official rules for basic protection of Windows computers).


List fragment with Windows 10 v1809 base security policies and changes in 1903, where the corresponding password expiration policies no longer apply. By the way, in the new version, the administrator and guest accounts are also canceled by default.

Microsoft popularly explains in a blog post why it dropped the mandatory password change rule: “Periodical password expiration is only protection against the possibility that a password (or hash) will be stolen during its lifetime and used by an unauthorized person. If the password is not stolen, there is no point in changing it. And if you have proof that the password has been stolen, you will obviously want to act immediately rather than wait for an expiration date to fix the problem."

Microsoft goes on to explain that in today's environment it is wrong to defend against password theft in this way: “If a password is known to be likely to be stolen, how many days is an acceptable time period to allow a thief to use that stolen password? The default value is 42 days. Doesn't that seem like a ridiculously long time? Indeed, that's a very long time, and yet our current baseline was set to 60 days - instead of 90 days - because forcing frequent expiration introduces its own problems. And if the password is not necessarily stolen, then you are gaining these problems for no good. Also, if your users are willing to trade their password for candy, no amount of password expiration policy will help.”

Alternative

Microsoft writes that its baseline security policies are intended to be used by well-managed, security-conscious businesses. They are also intended to serve as a guide for auditors. If such an organization has implemented banned password lists, multi-factor authentication, password brute-force attack detection, and abnormal login attempt detection, is periodic password expiration required? And if they haven't implemented modern security measures, will password expiration help them?

Microsoft's logic is surprisingly persuasive. We have two options:

1. The company has implemented modern security measures.
2. Company not implemented modern security measures.

In the first case, periodically changing the password does not provide additional benefits.

In the second case, periodically changing the password is useless.

Thus, instead of password expiration, you should use, first of all, multi-factor authentication. Additional protection measures are listed above: banned password lists, detection of brute force and other anomalous login attempts.

«Periodic password expiration is an ancient and obsolete security measure., Microsoft concludes, “and we don't think it's worth using any particular value for our baseline protection level. By removing it from our baseline, organizations can choose what best suits their perceived needs without conflicting with our guidelines.”

Hack and predictor Aviator

If a company today forces users to periodically change their passwords, what would an outside observer think?

1. Given: the company uses an archaic defense mechanism.
2. Assumption: the company has not implemented modern protective mechanisms.
3. Conclusion: these passwords are easier to get and use.

It turns out that the periodic change of passwords makes the company a more attractive target for attacks.

Source: habr.com