Hi for All and have a nice time, so today we are talking about passwords (ready?) Let’s think!
• In most IT systems and various companies, mandatory periodic password changes are a common rule. At my company, passwords must be changed every three months. Do you think this approach is correct? After all, this practice causes a lot of inconvenience for regular employees, and users simply add (or change) a number at the end of their password each time.
• In May 2019, even Microsoft removed the requirement for periodic password changes from the baseline security requirements for personal and server versions of Windows 10. You can read about it here: Microsoft TechNet Blog
“Dropping the password-expiration policies that require periodic password changes.”
• Mandatory password changes are practically an officially outdated practice. Even security audits will no longer check for this requirement (if following official guidelines for basic Windows computer protection).
• Microsoft also explains why they abandoned the mandatory password change rule:
“Periodic password expiration is only effective against the likelihood that a password (or hash) will be stolen during its validity period and used by an unauthorized party. If a password is never stolen, there’s no need to change it. And if you have evidence that a password has been stolen, you’d obviously want to act immediately rather than wait for expiration to mitigate the issue.”
“If a password is likely to be stolen, how many days are an acceptable period for a thief to use that stolen password? The default is 42 days. Doesn’t that seem like an absurdly long time? Indeed, it is—and yet our current baseline was set at 60 days (previously 90 days) because forcing frequent expiration introduces its own problems. And if the password isn’t likely to be stolen, you’re stuck with these problems for no benefit. Besides, if your users would trade their password for a candy bar, no password expiration policy will help.”
Microsoft’s security baselines are intended for well-managed, security-conscious enterprises. They also serve as guidance for auditors. If such an organization has implemented banned password lists, multi-factor authentication (MFA), brute-force attack detection, and abnormal login monitoring, is periodic password expiration still necessary? And if they haven’t adopted modern protections, will password expiration even help?
• Microsoft’s logic is convincing, right? In the end, we’re left with two scenarios: either a company has implemented modern security measures, or it hasn’t…
• In the first case, periodic password changes provide no additional benefit. In the second case, they’re useless.
• Thus, instead of password expiration, the primary focus should be on multi-factor authentication. Additional protective measures include: banned password lists, brute-force detection, and monitoring for abnormal login attempts.
“Periodic password expiration is an ancient and obsolete mitigation, and we don’t believe it’s worth enforcing any specific value in our baseline. By removing it, organizations can choose what best suits their needs without conflicting with our recommendations.”
• Based on all of the above, we can conclude that forcing periodic password changes actually makes a company a more attractive target for attacks.
Alex