#31: Microsoft Puts an End to Password Expiration Policy

Microsoft Ends Password Expiration Policy

In this episode of The Power Up Project, we cover:

>Breaking news about the end of Microsoft’s enforced password policy.

>What it means for you and your business.

>How you can secure your account now that Microsoft won’t be forcing a password expiration anymore.


In this episode of The Power Up Project, we talk about why expiring passwords is no longer a thing. Well, according to Microsoft at least.

Welcome back to The Power Up Project. I’m your host Ben Love, and today we’re going to be discussing the expiration of passwords. Now, you should know what I mean by that, because we’ve all been caught by it, and it can be really annoying. That every 60 days, maybe every 90 days, we get that message popping up on our computer saying, “Your password is about to expire. You need to choose a new password.” And then, of course, we go through the process of trying to choose a new password. Do we use an old password and just change it very slightly or did we already use that one? Anyway, you understand what I’m talking about. We’ve all been there. Well, the interesting thing is that Microsoft have recently updated their security baseline recommendations, and the big news that a lot of people are talking about is that they are no longer recommending the forced expiration of passwords. What the?

So I just want to dig into this a little bit deeper because we need to understand what’s going on here. This is a quote from Microsoft. “There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, or forget their new password altogether.” Does that sound familiar to anyone? I know it certainly does to me.

So, what they’re saying there is that the previous recommendation to force expire your passwords is actually adding very little value to the security discussion. It’s not that they’re saying don’t expire passwords or telling you to never expire passwords even, but what they’re saying is that this is a very low value add activity when it comes to improving the security of one of our network environments.

Here’s another quote from Microsoft. “This reinforces a larger important point about our security baselines. While they are a solid foundation and should be part of your security strategy, they are not a complete security strategy.” And so what does that mean? Well, what Microsoft is saying there is that network security needs to come from many directions and in many layers using many different methods, and passwords are really only one piece of the picture. We’ve spoken many times on this podcast, in blog posts, at seminars, you name it, about multi-factor authentication. Okay, so that’s one example that Microsoft do not talk about in their security baseline, but they do very heavily allude to.

So what do you need to do about all of this? Well, here are the take-homes that I need to leave you with today. First of all, changing passwords is still a good idea.

Secondly, use a different password for different systems. So try not to use the same password for everything from your Uber Eats account through to logging onto your corporate email to your internet banking. Next, try and use a passphrase where possible. So, a passphrase is a series of words, it is a phrase that may mean something to you, it may be nonsense, but it is probably a lot easier for you to remember than some cryptic random string of characters in a password. But curiously enough, passphrases can often be a lot harder for hackers to brute force and to crack. So, not all systems out there will let you use a passphrase instead of a password, but if you can, definitely a good idea. And the last point that I need to leave you with regarding this is multifactor authentication. I sound like a broken record on this, but it is really important. It is very easy to enable on enterprise systems such as Office 365. We can also enable it on our Facebook, for example. Absolutely on things like Xero and on your internet banking. Multifactor authentication is currently the single most effective method that we are seeing of helping with network security. So there’s the take-home, folks. Microsoft is no longer recommending that you expire passwords periodically, however, it’s still a good idea. Use different passwords, use passphrases, and use multifactor authentication.

Thanks for listening to this episode of The Power Up Project, brought to you by Grassroots IT and Digit IT. Please leave us a review wherever you get your podcasts, and until next time, keep powering up.

Let's continue the conversation! Leave a comment below.