Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Microsoft Kills Password Expiration Policy Recommendation with Latest Security Baseline for Windows 10

    password-mfa-biometricsThis change from Microsoft highlights the need for organizations to readdress the user-based insecurity of passwords caused by password expirations.
     
    One of the focuses of Windows 10 was to improve its security overall. But one aspect even the most security OS can’t fix is a user that doesn’t see security as being important. The result? Well, take password expiration as an example.
     
    Microsoft has long-held that passwords should expire after a set number of days to minimize the duration a compromised credential is useful for. But when that expiration happens, according to Microsoft “when humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”
     
    In short, the password is either insecure, or too complex to be remembered. So, with Microsoft’s latest Security Baseline for Windows 10, they’ve chosen to remove the policy requirement that password must expire. This has no impact on their stance on password length, history, or complexity – only around making that password expire.
     
    Users that have a security-centric mindset through Security Awareness Training are aware of the role their passwords play in an attack and the need for them to be sufficiently secure (where a longer password can be far more secure than a short-yet-complex one). Organizations seeking to leverage users as part of their security stance should look to follow Microsoft’s latest guidance, which includes the following:
    • Banned Password Lists – stopping users from using “12345678” and “Password1” is a great start. Enforcement of banned passwords keeps users from using known “bad” passwords.
    • Multi-Factor Authentication – MFA is a must these days for literally every user within the organization. Even the mailroom clerk who only has access to email and a few shipping applications can be leveraged as an asset during an attack to spread malware throughout the organization via internal email.

    Use of these two alternative controls will help offset the potential increased security risk found by no longer mandating that users change their passwords. Instead, educating users on the importance of good password self-hygiene, length, and complexity can have a more positive impact on security than password expiration – something Microsoft calls “an ancient and obsolete mitigation of very low value.”

    Find out how affordable new-school security awareness training is for your organization. Get a quote now.

     
    Get A Quote
    Request A Demo
     

     

    Return To KnowBe4 Security Blog

    Topics: Security Awareness Training, Password Security

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews