Password1, Password2, Password3 No More: Microsoft Drops Password Expiration Rec

from ars technica

For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.

The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don’t like picking or remembering new passwords. Instead, they’ll do something like pick a simple password and then increment a number on the end of the password, making it easy to “generate” a new password whenever they’re forced to.

More here.

Posted in Technology and tagged , , .


  1. This school year at school, the email that I most dreaded was the email from the service desk discussing my PirateNet password. Attention, your PirateNet password will expire in 14 days, 13 days, 12 days, and counting down until you finally change it. The PirateNet password is your wifi password, computer password, and how to sign into the many of the excellent web services the university offers to us. The article discusses how Microsoft is dropping the requirement of changing your password every 60 days to protect your password from being stolen, and if it was the thief would lose access to the account due to the password changing. That system worked in the early conception of the Microsoft services because track passwords was slow, and people weren’t sitting in their parent’s basements hacking into everything. But today, the changing password requirement is more of a hindrance than an advantage. Now-a-days, people will just use a singular word with a different pattern of numbers. This is actually easier to hack into or break into than a complex password that people choice when they don’t have to constantly change their password. By allowing and promoting users to use more complex passwords sites would actually be providing their consumers with a more secure network and website. Back in high school my computer teacher brought the entire school into the auditorium and discussed the importance of password security. He gave us tips on how to create a success and secure password for all websites. By coming up with a special algorithm for the different websites is what you need to do. Keep a phrase but use a special algorithm to decide the first five letters and digits as well as the last 5 digits and letters. Password security is important in network and financial security. A hacker could find the password to your bank accounts and make major financial transactions, or hack into your Microsoft account a make major purchase, delete important files, and/or view personal files.

  2. I have been using simple passwords similar to Password1 my entire life simply because it was more convenient for me when it came down to update or reset my password. I can chalk it up to being naive or ignorant enough to believe that no one would bother to hack into my emails, social media, or even bank accounts. Man, was I wrong! I have recently been a victim of identity theft and fraud. I have had numerous unknown bank accounts, mortgages, and other loans taken out under my name and social security number. The conclusion as to how the perpetrator acquired this detailed and personal information was through my various online accounts. My Yahoo email account, which was created by a 16-year-old boy, was hacked into because it had a simple password that was never updated. They then gained access to every other account ever opened in my name thereafter simply because alteration to the root password was the current year. For example, if my password for my Yahoo account was “Bluedog”, my social media account would have been “Bluedog2016”, the next “Bluedog2017”….etc. I have gone through a great deal of stress and credit issues because of this incident. One that could have quite frankly been avoided if I had not been lazy.
    Because advancements in technology are experiencing exponential growth at an astonishing rate it is imperative that we limit the impact a stolen password can have. There was one course I enrolled in throughout my college career, Management Information Systems, that gave me perspective on how to effectively protect your online accounts to prevent cybercriminals from gaining access to your personal information. As the article “Password1, Password2, Password3 no more: Microsoft drops password expiration rec” written by Peter Bright mentions one of the best preventative measures one can take is to, “choose a long password and, ideally, multifactor authentication, supplementing the password with a time-based code or something similar.” The underlying issue I’ve found from taking the advice of my MIS professor, which is reiterated within this article, is where to store the various multi-character passwords for each online account. At this point in time, I would like to open up a discussion to anyone interested in giving their opinion or advice. Other than having each passcode written down, which in my opinion still carries the risk of being stolen, how would you effectively store the unique passwords to each of your online accounts?

  3. I am guilty of contributing to the lack of safety that the 60-day password expiration system has. I am in no mood to ever want to re-memorize a new password and therefore I choose the same base or a near-identical base to the last password and just change some things up. But it is this laziness that creates the ineffective nature of the expiring password because hackers would be able to assume what the new password may be depending on what they obtained before the password change. In the past when systems were much harder to hack and access, this 60-day password expiration worked very well. Since our technology has greatly improved since then, we need to improve the ways that we treat our password. And this includes taking away the 60-day password expiration since it is practically inefficient in our advanced technological age.

    In my opinion, I believe that with the proper use of a password expiration this still could have been a successful safety precaution. The only reason why it failed in today’s technological age is that the people who use Microsoft are lazy and choose to not want to create a completely different password each time they were asked to. It is human error that has affected the benefit that this system used to give to its users. I do believe that the password expiration should be an option rather than a requirement. My reasoning for this is because not everyone is capable of changing their password every 60 days and not everyone is willing to try it either. If it is given as an option, then the benefit of this system will be regained because those who genuinely want to change their password will do as they please. While those who have no interest in changing their password will ignore this setting and will continue with using the same password as beforehand.

    Understanding the lack of benefits that the expiring password has for its users, why does Seton Hall continue to force it on their students? The only way this system would work is if the newly generated password is completely different than the previous one. But knowing how college students work, we are lazy and choose to focus our energy on other things rather than generating a new password and having to memorize it. I create similar passwords that nearly bounce off the last password. Yes, they are different, but at the same time, my password beforehand was just as well-created as the new password. But my concern stems with the fact that I have 6 more semesters left and there are only so many passwords that one individual could create. And reusing similar passwords is not as beneficial to the individual as one well-written password. Therefore, I believe that rather than trying to change my password every 60 days I would rather set one very good password that has a lot of characters as well as an intricate pattern to it that would prevent people from easily guessing it. If Seton Hall is worried about students keeping their passwords to themselves, that should be on them. We are all considered adults and should be able to monitor our own devices and not share such important data. By telling someone your password, at that point it was your choice to give full access to your computer to someone else and if you are hacked or have computer issues that should be on that individual. Once a very well-created password is created, if kept hidden from other people, it should be very successful in keeping one’s contents private. Therefore, to not inconvenience those with a very well-created password I believe that it should be an option to have a password expiration. This would benefit those who want to keep their old password as well as those who enjoy changing their password over time.

  4. I understand the security benefits of the password expiration, however, it can become really irritating after a while. I think a lot of people have a couple of specific passwords they always resort to, so if they are prompted to create a new one every sixty days, eventually then are going to wind up forgetting. In my opinion, it would be easier to just be able to change a password that was hacked instead of continuously changing the password. Prevention from hackers makes life more difficult for consumers. In the original implication of this practice, hackers would only be able to use a stolen password within sixty days. Why can’t that number go down further like when credit cards are stolen? In that case, the password would be shut down with one phone call and no one would be able to use it again. Yes, you would still have to change it just in case, but the threat of a hacker would no longer be present.

    In my experience with Seton Hall’s OKTA app, my friends and are prompted every few months to change our passwords. There have been many times when I forgot my password and had to go through the long process of authentication. In this case, I do not really see the purpose of changing our password that often. Who is hacking into my Blackboard page? Are they going to submit my work for me? It does not make sense.

    It poses the question for other companies, not just Microsoft, that should the “guest account” or “guest checkout” options still be available? A guest checkout for example actually I believe is better than having an account because while yes it is nice to receive coupons for stores if you subscribe to them, the website you are buying from does not have access to any of your credentials – although, they are ad-tracking you most likely, but that is a different conversation.

Leave a Reply to Nicole Shubaderov Cancel reply

Your email address will not be published. Required fields are marked *