Windows wants to stop requirement that users change their password regularly

Windows wants to stop requirement that users change their password regularly
Windows wants to stop requirement that users change their password regularly

The Microsoft proposed to end a Windows policy that requires users to periodically change your password. In a statement posted on its official blog on Wednesday, the company said its new security configuration would no longer pressure users to change their passwords after a certain amount of time.

For the company, the existing policy is an “old, obsolete and very low value” medicine, and the company does not “think it’s worth it” to keep it any longer. “If a password is ever stolen, there is no need to expire it. And if you have proof that a password has been stolen, you would presumably act immediately, instead of waiting for the expiration [of the access credential] to correct the problem,” said Microsoft consultant Aaron Margosis.

He also raised questions about the effectiveness of Microsoft’s current policy: “If a password is likely to be stolen, how many days is an acceptable time to continue allowing the thief to use that stolen password? Windows default is 42 days Does not this seem like a ridiculously long time? ”

In other words, Microsoft wants to value the use of strong, long, and unique passwords, and no longer force users to change them regularly unnecessarily, as it is nowadays. And they’re not the only ones who believe that: former Federal Trade Commission chief technology officer Lorrie Cranor said in a post dated 2016 that forcing users to change their passwords from time to time may result in weaker passwords.

“The researchers also point out that an attacker who already knows a user’s password is not likely to be prevented by a password change,” Cranor wrote. “Once an attacker knows a password, they often can guess the user’s next password quite easily,” he adds.

Shortly thereafter, the National Institute of Standards and Technology (NIST), which advises the US government on cybersecurity practices and policies, has revised its own advice to remove policies that require periodic password changes. Bill Burr, the retired NIST manager who developed a policy of recommending password expiration in 2003, lamented the idea in a 2017 interview, saying the rule “really had a negative impact on usability.”