Your IT Consultant

Microsoft Finally Agrees – Expiring Passwords is Dumb

April 25, 2019

Well, it took almost three years, but Microsoft finally changed its stance concerning expiring passwords. In June of 2017, NIST (National Institute of Standards and Technology) published new guidelines dealing with passwords. One of the recommendations is that passwords don’t need to be changed unless you know they have been compromised in a data breach. In other words, no more automatically expiring a password and requiring a new one. Engadget summarized a Microsoft blog post, where Microsoft finally agrees with the NIST recommendation.

“As the blog post explains, if a password is never stolen, there's no need to expire it. And if a password is suspected to be stolen, you would want to act immediately, not wait until the expiration date.” Microsoft is proposing to drop the password expiration policy in future releases of some products. Microsoft doesn't plan to change requirements for minimum password length, history or complexity.

Email:   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://senseient.com