June 10, 2019updated 11 Jun 2019 1:38pm

Changing passwords no longer necessary, says Microsoft

By Ellen Daniel

Microsoft has said that it no longer recommends periodic password changes, and that the practice could in fact leave users more open to hacking.

For many organisations, requiring employees to change their password after an assigned period of time has been a standard part of their security practice. However, Microsoft is no longer recommending this, calling the practice “ancient” and “obsolete”.

In a blog post on the security baseline for Windows 10, Microsoft’s principal consultant Aaron Margosis explained that when users are forced to change their password too often, they often make passwords more predictable, or will only make slight alterations to their existing password.

Password expiration policies are only effective if the password has been stolen, the post claims. If this has not occurred, then changing it serves little purpose, and if it has, users need to act immediately rather than waiting for it to expire. Therefore, Margosis believes that forcing users to change their password regularly can “acquire those problems for no benefit”.

Instead, other policies such as banned password lists, multi-factor authentication, or the detection of password-guessing attacks may be more effective, and may even mitigate the need for periodic password expiration.

Because of this, the company has updated its advice to businesses, saying that “mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value”.

However, Microsoft maintains that organisations can still “choose whatever best suits their perceived needs”.

The company recommends that users only use passwords that are “random and strong” and “strongly recommends” that organisations put in place additional protections.

“The humble password is by no means dead”

Andy Cory, identity management services lead at KCOM said:

“The truth is that technology has moved past the stage where we constantly need to reset passwords. That’s not to say that passwords are not important – the effective management of passwords is one of the most vital aspects of corporate defence. It doesn’t matter how strong your perimeter is, or how intelligent your breach detection – if users’ accounts can be cracked open from the front, if their passwords can be guessed or stolen, then your company is as good as defenceless.

Once an account has been compromised in this way an attacker will often be able to gain access to a whole plethora of sensitive information without setting off any internal alarms, with incalculable potential impact for the organisation.

“The humble password is by no means dead. It’s simply time for businesses to come up with a more intelligent strategy than a password expiry policy. Frequent password changes encourage bad passwords, whereas a good password does not have to be changed that frequently. Organisations should consider ditching a historical reliance on password expiry in favour of a more prescriptive policy on password strength, ensuring that strong but usable password rules and, preferably, multi-factor authentication are in place. As part of that, it’s also important to have a high-capacity infrastructure in place that can reliably and securely handle the authentication data – only then can you match user experience with security needs.”

Read more: Troy Hunt: ‘The future of passwords is more passwords’


Verdict deals analysis methodology

This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,