Unlike milk, passwords don’t need an expiration date. That’s the conclusion of Microsoft, which recently announced that it will no longer attach expiration dates as part of its security requirements.
An article at Forbes.com reports on the change, which was overdue, according to security professionals: “The United States National Institute for Standards and Technology (NIST) has been recommending password expiration is dropped from security policy since 2016. Now it seems that Microsoft has finally caught up and will be dropping the requirement starting from Windows 10 (1903) and Windows Server (1903) onward.”
Microsoft explains the password security policy change in a blog post: “There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”
In the past, Sinu has recommended changing passwords every 3-6 months and Microsoft concedes that changing passwords periodically has been part of most security protocols. However, new scientific research suggests that other practices should take precedence, such as enforcing banned password lists and using multi-factor authentication.
While there is no one data security plan that will fit all organizations’ needs, password security policies & protocols should contain these critical elements:
Do not reuse the same password for different online accounts.
Do not use passwords that have personal information or are easy to guess (see our article on the The World’s Most Hacked Passwords).
Create passwords or passphrases that do not use repeating words and number patterns, cannot be easily guessed, and do not use personal information.
Use multi-factor authorization whenever possible.