Microsoft is making changes to the password policies. No, they are not proposing to change the requirements for minimum password length, history, or complexity. It is actually a lot less complex than you may think. They want to avoid any inevitable misunderstandings and only talking about removing password expiration policies.
In the Microsoft Security Baseline release in 2019, the say periodic password expiration is a defense only against the probability that a password will be stolen during its time that the password is valid. This password expiration can be set to a certain amount of days. If a password is never stolen, there's no need to expire it. If there was any evidence that a password was stolen, then you would presumably act immediately rather than wait for the expiration to fix the issue.
If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is Microsoft's current baseline of 60 day, and used to say 90 days, because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit.
Their baselines are intended to be usable with minimal if any modification by most well-managed, security-conscious enterprises. They are also intended to serve as guidance for auditors. So, what should the recommended expiration period be? If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?
The results of baseline compliance scans are usually measured by how many settings are out of compliance: “How much red do we have on the chart?” It is not unusual for organizations during audit to treat compliance numbers as more important than real-world security. If a baseline recommends 60 days and an organization with advanced protections opts for 365 days – or no expiration at all – they will get dinged in an audit unnecessarily and might be compelled to adhere to the 60-day recommendation.
Periodic password expiration is an ancient and obsolete mitigation of very low value, and Microsoft does not believe it is worthwhile for our baseline to enforce any specific value. By removing it from their baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting Microsoft's guidance. At the same time, Microsoft must reiterate that they strongly recommend additional protections even though they cannot be expressed in their baselines.
Recommended tools that we can provide at Integritechs includes either a compliance set to your industries standards, or a password manager that will safeguard your passwords and can be utilized in a secure manner. Contact us for more information on how we can best help your organization in being secure.
Source: Microsoft
