Periodic password change is an outdated practice, it's time to abandon it

    Many IT systems have a mandatory rule for periodically changing passwords. This is perhaps the most hated and most useless requirement of security systems. Some users as a life hack simply change the number at the end.

    This practice caused a lot of inconvenience. However, people had to endure, because this is for safety . Now this advice is completely irrelevant. In May 2019, even Microsoft finally removed the requirement to periodically change passwords from the basic level of security requirements for personal and server versions of Windows 10: here is an official blog statement listing changes to Windows 10 v 1903 (note the phrase Dropping the password -expiration policies that require periodic password changes) The rules and system policies themselves of Windows 10 Version 1903 and Windows Server 2019 Security Baseline are included in the Microsoft Security Compliance Toolkit 1.0 .

    You can show these documents to your superiors and say: times have changed. Mandatory password change - archaism, now almost officially. Even a security audit will no longer verify this requirement (if it focuses on official rules for basic protection of Windows computers).

    A fragment of the list with the basic security policies of Windows 10 v1809 and changes in 1903, where the corresponding password expiration policies no longer apply. By the way, in the new version, the administrator and guest accounts are also canceled by default.

    Microsoft popularly explains on the blog why it abandoned the rule of mandatory password changes: “Periodic expiration of the password is only protection against the likelihood that the password (or hash) will be stolen during its validity period and will be used by an unauthorized person. If the password is not stolen, there is no point in changing it. And if you have evidence that the password has been stolen, you obviously want to act immediately and not wait for the expiration date to fix the problem. ”

    Microsoft further explains that in modern conditions it is wrong to protect yourself from password theft using this method: “If it is known that the password is likely to be stolen, how many days is an acceptable period of time to allow the thief to use this stolen password? The default value is 42 days. Doesn't that seem ridiculously long time? Indeed, this is a very long time, and yet our current baseline has been set to 60 days - and earlier to 90 days - because forcing frequent expiration introduces its own problems. And if the password is not necessarily stolen, then you get these problems without any benefit. In addition, if your users are willing to exchange the password for candy, no password expiration policy will help. ”


    Microsoft writes that its basic security policies are designed for use by well-managed, security-conscious enterprises. They are also called upon to provide guidance to auditors. If such an organization has implemented lists of forbidden passwords, multi-factor authentication, detection of attacks with brute force passwords and detection of abnormal attempts to enter the system, does a periodic expiration of the password be required? And if they have not implemented modern security features, will the expiration of the password help them?

    Microsoft's logic is surprisingly convincing. We have two options:

    1. The company has implemented modern security measures.
    2. The company has not implemented modern security measures.

    In the first case, periodic password changes do not provide additional benefits.

    In the second case, a periodic password change is useless.

    Thus, instead of password expiration, it is necessary to use, first of all, multifactor authentication . Additional security measures are listed above: forbidden password lists, brute force detection, and other abnormal login attempts.

    Periodic password expiration is an ancient and obsolete security measure- sums up Microsoft, - and we don’t think that any specific value should be applied for our level of basic protection. By removing it from our base level, organizations can choose what best suits their intended needs, without contradicting our recommendations. ”


    If a company today forces users to periodically change passwords, what might an outside observer think?

    1. Given: The company uses an archaic defense mechanism.
    2. Assumption: the company has not implemented modern defense mechanisms.
    3. Conclusion: these passwords are easier to get and use.

    It turns out that the periodic change of passwords makes the company a more attractive target for attacks.

    SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 by promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210,

    Also popular now: