In a blog published last month, Microsoft said it was removing periodic password changes from the security settings for the IT support best practices it recommends for customers and auditors. After decades of Microsoft recommending regular password changes, Microsoft employee Aaron Margosis called the requirement an “ancient and obsolete mitigation of very low value.”
The change is likely due to research that shows passwords are easy to crack when they’re easy to remember. Over the past decade, hackers have mined real-world password breaches to create dictionaries of millions of words. When you combine those data-sets with super-fast graphics cards, the hackers can make lots of guesses in off-line attacks, which occur when they steal the scrambled codes that represent the plain text user passwords.
Even when users attempt to complicate their easy-to-remember passwords— by adding letters or symbols to the words, or by substituting 0’s for the o’s—hackers can use programming rules that modify the dictionary entries. As a result, those measures provide little protection against modern cracking techniques.
Researchers have increasingly come to the consensus that the best passwords are at least 11 characters long, randomly generated, and made up of upper- and lower-case letters, symbols (such as a %, *, or >), and numbers. Those traits make them especially hard for most people to remember. The same researchers have warned that mandating password changes every 30, 60, or 90 days—can be harmful for a host of reasons. Primarily, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on. At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach, instead of after a set amount of time prescribed by a policy.
Despite the growing consensus among researchers, Microsoft and most other large organizations have been slow to speak out against periodic password changes.
But in last month’s blog post, Microsoft’s Margosis wrote:
Recent scientific research calls into question the value of many long-standing password-security practices, such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication.
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days—and used to say 90 days—because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.
The baseline change is likely to give employees ammunition when advocating for changes inside their own organizations. It’s also likely to help companies push back against auditors, who often find companies out of compliance unless they have enacted password changes within a set amount of time. Microsoft officially jumping into the fight against mandatory password changes is going to give companies even more leverage against Big Compliance.”
If you hate changing your passwords for your business IT support and want to know the latest best practices in Albuquerque and Santa Fe, give me a call.