The End of Microsoft's Password Expiration Policy

Microsoft's Password Expiration Policy Ended

You slide into work, coffee in hand and motivation to burn, ready to kick off another productive day. As you sit at your desk, ready to log on to your computer, you receive the notification that it’s time to change your password. Again. And it can’t be any of the passwords you’ve used before. Sigh. You’ve already used “G@m3ofThr0n3s”, so maybe “GAm30fThr00nEs” this time?

Hark. Good news is ahead. Your days of enforced password changes from Microsoft are coming to an end.



Hints about a plan to put an end to password expiration policies have been floating around since April this year, but Microsoft confirmed and formalised this plan on 23 May when they released a finalised Security baseline for Windows 10 v1903 and Windows Server v1903.

In an effort to secure passwords, Microsoft’s baseline security standards previously recommended that user passwords have an expiration period and a replacement password is enforced every few weeks. Throughout the years though, this method hasn’t adequately addressed password and security issues and, instead, forcing a frequent change to credentials has posed its own problems.

"The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation," explains Professor Lorrie Cranor, the chief technologist at the US Federal Trade Commission. "They take their old passwords, they change it in some small way, and they come up with a new password."

Data from a University of North Carolina study published in 2010 analysed passwords to 10,000 expired accounts that once belonged to university employees, faculty, or students who had been required to change their passcodes every three months. Researchers received data not only for the last password used but also for passwords that had been changed over time.

“By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like "tarheels#1", for instance (excluding the quotation marks) frequently became "tArheels#1" after the first change, "taRheels#1" on the second change and so on. Or it might be changed to "tarheels#11" on the first change and "tarheels#111" on the second. Another common technique was to substitute a digit to make it "tarheels#2", "tarheels#3", and so on.”

A separate study from researchers at Carleton University provided a mathematical demonstration that frequent password changes hamper attackers only minimally and probably not enough to offset the inconvenience to end users.



In the latest security announcement, Aaron Margosis, Principal Consultant at Microsoft, advised the reason for Microsoft’s decision to remove their password-expiration policies is because “periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”

No security policy from Microsoft can help in securing your account if you voluntarily provide your credentials to anyone who asks for it or if you’re using a vulnerable password. A forced mandatory password change doesn’t offer much value, that is why even Microsoft and others are now using a combo of many security features like biometric identification and Multi-Factor Authentication (MFA).

While Microsoft is removing enforced password changes, they are still encouraging organizations to do regular password changes in a time period that best suits the organisation’s needs. Margosis also made clear that password security is still incredibly important.

“We are talking here only about removing password-expiration policies – we are not proposing changing requirements for minimum password length, history, or complexity,“ said Margosis. “We must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.”

As the password expiration policy ends, now is the time to think of additional security measures for your account. A good place to start would be thinking of a good passcode that you can easily remember and is secure, such as a passphrase, and also ensuring all your accounts are protected by MFA, which is currently the best form of account security. Having to check an authenticator app for a security code in real-time may seem time consuming, but for an extra 10 second investment of your time, it is well worth it for the extra security MFA provides. 

Because, as Aaron Margosis commented, “When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them.”

What do you think of this latest password news from Microsoft? Not sure about how MFA works? Here's a blog post we've written about it, and you can download our handy cheatsheet and checklist below. If you need assistance in fanning out other security options and securing your accounts, feel free to reach out to us, we’d be happy to talk! 

New call-to-action

Back to more news, updates and resources.


Picture of Annie Love

Annie has worn many hats over her career, from being a Systems Administrator for a serviced office, to working in advertising in the magazine industry, and managing conferences in the Whitsundays. These days, as well as being the Mum of three gorgeous boys, Annie takes care of the marketing at Grassroots IT. She has a passion for creativity, and loves to read, write, paint and spend time with her family and friends.