Expiring passwords

May 2, 2019

Two years ago, I wrote a blog post about data security myths, in particular about how frequently changing passwords was good.


It seems Microsoft was paying attention to the NIST guidance. 


In a recent blog post on the security baseline for Windows 10, Microsoft dropped the "password-expiration policies that require periodic password changes".  Microsoft explained that expiring passwords "is a defense only against the probability that a password (or hash) will be stolen" and that if a password "is never stolen, there's no need to expire it".  Expiring a password that hasn't been stolen adds problems without benefits such as forgetting your password, writing it down where others can find it, or using simple derivative passwords. "Periodic password expiration is an ancient and obsolete mitigation of very low value."


Photo by Marcelo Leal on Unsplash.

Please reload

Featured Posts

Brexit and EU trademarks

January 27, 2020

Please reload

Recent Posts
Please reload