Two years ago, I wrote a blog post about data security myths, in particular about how frequently changing passwords was good.
It seems Microsoft was paying attention to the NIST guidance.
In a recent blog post on the security baseline for Windows 10, Microsoft dropped the "password-expiration policies that require periodic password changes". Microsoft explained that expiring passwords "is a defense only against the probability that a password (or hash) will be stolen" and that if a password "is never stolen, there's no need to expire it". Expiring a password that hasn't been stolen adds problems without benefits such as forgetting your password, writing it down where others can find it, or using simple derivative passwords. "Periodic password expiration is an ancient and obsolete mitigation of very low value."
Photo by Marcelo Leal on Unsplash.