Password1, Password2, Password3 No More: Microsoft Drops Password Expiration Rec

from ars technica

For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.

The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don’t like picking or remembering new passwords. Instead, they’ll do something like pick a simple password and then increment a number on the end of the password, making it easy to “generate” a new password whenever they’re forced to.

More here.

, ,

2 Responses to Password1, Password2, Password3 No More: Microsoft Drops Password Expiration Rec

  1. Alexander Dornbierer May 2, 2019 at 2:49 pm #

    This school year at school, the email that I most dreaded was the email from the service desk discussing my PirateNet password. Attention, your PirateNet password will expire in 14 days, 13 days, 12 days, and counting down until you finally change it. The PirateNet password is your wifi password, computer password, and how to sign into the many of the excellent web services the university offers to us. The article discusses how Microsoft is dropping the requirement of changing your password every 60 days to protect your password from being stolen, and if it was the thief would lose access to the account due to the password changing. That system worked in the early conception of the Microsoft services because track passwords was slow, and people weren’t sitting in their parent’s basements hacking into everything. But today, the changing password requirement is more of a hindrance than an advantage. Now-a-days, people will just use a singular word with a different pattern of numbers. This is actually easier to hack into or break into than a complex password that people choice when they don’t have to constantly change their password. By allowing and promoting users to use more complex passwords sites would actually be providing their consumers with a more secure network and website. Back in high school my computer teacher brought the entire school into the auditorium and discussed the importance of password security. He gave us tips on how to create a success and secure password for all websites. By coming up with a special algorithm for the different websites is what you need to do. Keep a phrase but use a special algorithm to decide the first five letters and digits as well as the last 5 digits and letters. Password security is important in network and financial security. A hacker could find the password to your bank accounts and make major financial transactions, or hack into your Microsoft account a make major purchase, delete important files, and/or view personal files.

  2. Juan Gonzalez June 1, 2019 at 1:28 pm #

    I have been using simple passwords similar to Password1 my entire life simply because it was more convenient for me when it came down to update or reset my password. I can chalk it up to being naive or ignorant enough to believe that no one would bother to hack into my emails, social media, or even bank accounts. Man, was I wrong! I have recently been a victim of identity theft and fraud. I have had numerous unknown bank accounts, mortgages, and other loans taken out under my name and social security number. The conclusion as to how the perpetrator acquired this detailed and personal information was through my various online accounts. My Yahoo email account, which was created by a 16-year-old boy, was hacked into because it had a simple password that was never updated. They then gained access to every other account ever opened in my name thereafter simply because alteration to the root password was the current year. For example, if my password for my Yahoo account was “Bluedog”, my social media account would have been “Bluedog2016”, the next “Bluedog2017”….etc. I have gone through a great deal of stress and credit issues because of this incident. One that could have quite frankly been avoided if I had not been lazy.
    Because advancements in technology are experiencing exponential growth at an astonishing rate it is imperative that we limit the impact a stolen password can have. There was one course I enrolled in throughout my college career, Management Information Systems, that gave me perspective on how to effectively protect your online accounts to prevent cybercriminals from gaining access to your personal information. As the article “Password1, Password2, Password3 no more: Microsoft drops password expiration rec” written by Peter Bright mentions one of the best preventative measures one can take is to, “choose a long password and, ideally, multifactor authentication, supplementing the password with a time-based code or something similar.” The underlying issue I’ve found from taking the advice of my MIS professor, which is reiterated within this article, is where to store the various multi-character passwords for each online account. At this point in time, I would like to open up a discussion to anyone interested in giving their opinion or advice. Other than having each passcode written down, which in my opinion still carries the risk of being stolen, how would you effectively store the unique passwords to each of your online accounts?

Leave a Reply