For as long as I can remember, Microsoft has recommended―and even forced―users to change passwords every 60 to 90 days. But just this last week, Microsoft dropped their password expiration policy for Windows 10 (v1903) and Windows Server (v1903). Aaron Margosis, a Principal Consultant with Microsoft, even called the old policy “ancient and obsolete.” Is this a sign of “the end of the world as we know it” or just a policy change to ensure that a small dose of human suffering is alleviated every 60 days? I’m not sure, but I feel fine!
The original policy was created, and enforced, to presumably improve end-user security. The theory was that If a password was compromised, it would limit the impact on an organization because the password would become invalid after two months. The reality was that users chose a single password and used it across multiple online platforms. And when the time came to reset a password, those well-meaning (and frustrated) people would slightly modify their old passwords and do things like writing them on Post-it Notes to make them easier to remember, and unfortunately, steal.
The common problem with Microsoft’s old policy among IT professionals was that if a password is never stolen, there’s no need to force all users to create and remember a new one. And if a password or an account is compromised, an IT team would act quickly to reset the account rather than waiting for the expiration to fix the problem. So, after decades of password frustration, Microsoft changed their policy.
What are some of these “strongly recommended additional protections”, and how can an organization protect against these types of threats?
As we work in the community, a common question is frequently asked: “What constitutes a complex password? A complex password is one that can not be guessed by a human or a computer program. Below are some good guidelines to follow:
- Minimally eight characters in length
- Does not contain the user name, real name, or company name
- Contains uppercase/lowercase letters, numbers, and symbols
- Does not contain a complete word in the English dictionary
- Is significantly different from other passwords used
If a breach occurs on another platform, a cybercriminal can easily try the same password on other accounts. There are many notable breaches that have occurred because of this common human tendency. With major breaches occurring on a seemingly a weekly basis, the probability of a cybercriminal using the same individuals’ password on other accounts is very high.
MFA forces users to remember a username and password (know something) and tie the account to a personal device (have something). Every time an account is accessed from a new device or location it forces verification of the user via text message. This “know something/have something” condition dramatically decreases the chance a cybercriminal can guess a password or brute-force their way into a system.