author photo
By Bruce Sussman
Tue | Jun 4, 2019 | 7:07 AM PDT

If you are a Windows 10 or Windows Server v1903 shop, there is some big news when it comes to password management.

Microsoft is dropping password expiration dates.

Microsoft statement on passwords problems

As we read through a lengthy blog post, we found ourselves agreeing with Microsoft's assessment of password management challenges. We hear about these challenges, repeatedly, at SecureWorld regional cybersecurity conferences.

Here is how Microsoft sums up the problem with passwords:

There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict.

When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them.

When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

If these are the generally accepted problems with passwords, how does dropping the password expiration policy impact things? 

Microsoft drops Windows 10 password expiration, explanation

Anticipating questions from the cybersecurity community about its decision, Microsoft wrote in detail about dropping the password expiration policy for Windows 10 and Windows Server v1903 users.

Microsoft starts by trying to clarify things:

First, to try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies—we are not proposing changing requirements for minimum password length, history, or complexity.

Then, it admits that password expiration policies don't actually do much:

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity.

If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

And finally, it comes around to this nugget on password management: set password expiration times actually cause new problems:

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time?

Well, it is, and yet our current baseline says 60 days—and used to say 90 days—because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit.

Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.

New NIST recommendation on passwords

NIST has been weighing in on the password management debate over the last two years, as thinking in this area has changed.

NIST suggests a shift to a passphrase as a way to Create a Password that's Hard to Guess and Easy to Remember, and NIST recently published guidance arguing against password expiration policies:

"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

That seems to make sense.

Why force users to throw away a password that is still secure? Perhaps that question should have been asked before now.

Microsoft Windows 10 and Windows Server Security Baseline
NIST Update on Password Expiration
5 Things to Know as NIST Cybersecurity Framework Turns 5