This change from Microsoft highlights the need for organizations to readdress the user-based insecurity of passwords caused by password expirations.
One of the focuses of Windows 10 was to improve its security overall. But one aspect even the most security OS can’t fix is a user that doesn’t see security as being important. The result? Well, take password expiration as an example.
Microsoft has long-held that passwords should expire after a set number of days to minimize the duration a compromised credential is useful for. But when that expiration happens, according to Microsoft “when humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”
In short, the password is either insecure, or too complex to be remembered. So, with Microsoft’s latest
Security Baseline for Windows 10, they’ve chosen to remove the policy requirement that password must expire. This has no impact on their stance on password length, history, or complexity – only around making that password expire.
Users that have a security-centric mindset through
Security Awareness Training are aware of the role their passwords play in an attack and the need for them to be sufficiently secure (where a longer password can be far more secure than a short-yet-complex one). Organizations seeking to leverage users as part of their security stance should look to follow Microsoft’s latest guidance, which includes the following:
- Banned Password Lists – stopping users from using “12345678” and “Password1” is a great start. Enforcement of banned passwords keeps users from using known “bad” passwords.
- Multi-Factor Authentication – MFA is a must these days for literally every user within the organization. Even the mailroom clerk who only has access to email and a few shipping applications can be leveraged as an asset during an attack to spread malware throughout the organization via internal email.
Use of these two alternative controls will help offset the potential increased security risk found by no longer mandating that users change their passwords. Instead, educating users on the importance of good password self-hygiene, length, and complexity can have a more positive impact on security than password expiration – something Microsoft calls “an ancient and obsolete mitigation of very low value.”
Find out how affordable new-school security awareness training is for your organization. Get a quote now.