Posted On 22 May 2019
Passwords have a checkered history with users of computers and other technology. We all know they are vital for security, but many recent studies have demonstrated that many of us have passwords that are so simple to guess we might as well not have bothered.
To try to improve security, certain systems have a built-in requirement to make users change their passwords from time to time, typically once every 30 or 60 days. However, Microsoft has now removed the requirement from the next significant Windows 10 update as research demonstrated that it didn’t boost security.
It has been shown that if you make your users create lengthy and strong passwords, they’ll probably write them down, compromising security. If asked to change the password regularly, most will just make small changes that can be easily predicted. Frequently they won’t remember the changes they’ve made.
The idea of password expiration policies was to limit the amount of time a hacker had with a stolen password. However, once a password has been stolen, it should be changed instantly, not 30 or 60 days later, and if it hasn’t been stolen, why should users be asked to change the password in a way that makes it more likely to be compromised in future?
In the light of these considerations, Microsoft has taken the decision to remove the password expiration feature with effect from the new release for Windows 10 in May 2019. Other password policies will remain in place, for example, minimum lengths and number/letter/symbol combinations requirements, but this outdated policy has expired.