Microsoft realizes password expiration is poor security - They are not the first to realise this but I wish the myth of mandatory password expiry would just die
Thinking of a secure password is hard, so demanding a user change it every 60 days fills many with dread and leads to weaker security. Microsoft has realized this and decided to remove default password expiry as a security baseline feature in Windows 10.
Microsoft explains in its latest draft security baseline for Windows that, "When humans are forced to change their passwords, too often they'll make a small and predictable alteration to their existing passwords, and/or forget their new passwords ... Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there's no need to expire it."
Microsoft also points out that if a password is stolen, the thief has up to 60 days to use it based on this expiration policy, which is ample time to gain entry to a system and cause chaos. So on every level, password expiration simply doesn't work, which is why it's disappearing.
Yes a chosen password should meet minimum requirements to be considered secure. We can already see that inconveniencing users means they are generally finding ways around this requirement which itself weakens security. So why is this myth still persisting? If you are still in doubt look up Bill Burr, who was the guy who helped propose/invent password standards, and he has apologised for some of the requirements including password expiry. He was no expert on security and put together standards that made sense to him at the time. Yet they persist still today.
See mashable.com/article/microsoft…
#passwords #Security
source https://squeet.me/display/962c3e10-375c-c34b-462c-c05433085070
Microsoft explains in its latest draft security baseline for Windows that, "When humans are forced to change their passwords, too often they'll make a small and predictable alteration to their existing passwords, and/or forget their new passwords ... Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there's no need to expire it."
Microsoft also points out that if a password is stolen, the thief has up to 60 days to use it based on this expiration policy, which is ample time to gain entry to a system and cause chaos. So on every level, password expiration simply doesn't work, which is why it's disappearing.
Yes a chosen password should meet minimum requirements to be considered secure. We can already see that inconveniencing users means they are generally finding ways around this requirement which itself weakens security. So why is this myth still persisting? If you are still in doubt look up Bill Burr, who was the guy who helped propose/invent password standards, and he has apologised for some of the requirements including password expiry. He was no expert on security and put together standards that made sense to him at the time. Yet they persist still today.
See mashable.com/article/microsoft…
#passwords #Security
source https://squeet.me/display/962c3e10-375c-c34b-462c-c05433085070
Comments