Microsoft: Password Expiration Policies Are ‘Low Value’

Last week, the company encouraged doing away with such policies, arguing that people only change their passwords predictably when compelled to change them regularly. Instead, organizations should use a solution that avoids commonly guessed passwords and multifactor authentication, which is a secondary means of verifying a user’s identity, according to Microsoft. The company made its case in a draft of its latest security baseline advice for Windows 10 version 1903 users and Windows Server version 1903. Best practices for organizations are compiled in these security baseline guides. Microsoft hasn’t commercially released version 1903 of Windows 10 or Windows Server yet, but possibly they’ll reach the “targeted” channel-release stage sometime in late May.

Password Protection and Multifactor Authentication

“Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multifactor authentication,” stated Aaron Margosis, a principal consultant with Microsoft’s Global Cybersecurity Practice, in the announcement of the draft. Microsoft had outlined a similar position last year when it also recommended that passwords should be set never to expire. Organizations should have a way to ban commonly guessed passwords, as well, but Microsoft argued against requiring long passwords. Moreover, Microsoft contended that organizations shouldn’t require extended characters in passwords.


Microsoft’s security baseline recommendations are just minimal recommendations for most enterprises using Windows. They’re associated with the Group Policy settings that exist within Windows. Consequently, the advice to use external solutions — such as Azure Active Directory password protection and multifactor authentication, which use Microsoft’s cloud-based services — are beyond the guideline’s scope, Margosis had explained. Microsoft thinks that enforcing periodic password expirations would not be very effective, so it’s not planning to include that advice in its security baseline documentation, according to Margolis:
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific matter.

By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines. If Microsoft were to stick with recommending periodic password changes, organizations might get “dinged in an audio” without any true security protections, Margolis added. Microsoft’s position against occasional password changes likely contradicts current IT practices. In a comment, a reader of Microsoft’s announcement stated that requiring frequent password changes “helps mitigate the real risk that a user password captured or breached at a particular tim is not still valid an indefinite time later.” In reply, Margosis commented that organizations can still require periodic password changes, but it won’t be part of Microsoft’s baseline recommendations.

Other New Security Policies

The new security baseline recommendations also are ushering in a few added policies. For instance, there will be a new “Enable svchost.exe mitigation options” policy for Windows 10 version 1903 and Windows Server version 1903. It’ll enforce that Microsoft must sign all binaries loaded by svchost. Exit,” and it’ll disallow “dynamically generated code.” IT pros should ensure that this policy doesn’t cause conflicts with “third-party code” and “third-party smart-card plugins,” Margosis warned. Microsoft also is removing its past recommendation of using the strongest encryption option with BitLocker-encrypted drives. The use of 128-bit encryption in BitLocker is unlikely to be broken, Microsoft argued. Microsoft proposes to drop its past security baseline recommendations that built-in Administrator and Guest accounts should be disabled. It just should be an option to enable them, Microsoft argued.

Johnny J. Hernandez
I write about new gadgets and technology. I love trying out new tech products. And if it's good enough, I'll review it here. I'm a techie. I've been writing since 2004. I started back in 2012.