Microsoft Password Expiration Policy Set to Change

1 year ago

Microsoft announced in a recent blog post that they will be reconsidering their stance on password expiration policy for Windows users. For years Microsoft encouraged administrators to expire usersโ€™ passwords every few weeks. The initiative was thought to have made it harder for credentials to be stolen. However, Microsoft Principal Consultant Aaron Margosis identified foreseeable user issues when asked to frequently change passwords. Some of these issues are:

  1. User picked password can be easy to guess or predict.
  2. When users are asked to change credentials frequently, theyโ€™re more likely to make a small or predictable change alteration to their existing password. E.g. P@$$word1 becomes P@$$word2. In theory, this defeats the purpose of resetting the password periodically.
  3. Users will be inclined to write out their new password to remember it which could jeopardise their account.

Whilst Microsoft has dropped the expiration policy for Windows users, they still plan to keep their baseline requirements such as minimum password length, history, and complexity. Although the policy has been dropped, Microsoft still plans to have it as an option for organisations should they wish to keep it.

Ways to combat password issues

Margosis wrote that whilst they are removing the expiration policy, it does not necessarily mean that they are โ€œlowering security standardsโ€. Instead, Margosis proposes alternative security measures such as:

  • Banned password lists or complexity requirements to stop guessable or simple words from becoming a password.
  • Multifactor authentication to require multiple modes of authentication, not just a password. For example, the Office 365 Authenticator app requires you to approve or deny login requests from your phone before your login.
  • Reinforcing basic password policies such as minimum 14 character passwords that have a mix of upper and lower case letters, numbers and special characters.

Microsoft has pioneered the abandonment of frequent expiration. They uphold that with other security baselines in place, the removal of this policy wonโ€™t jeopardise your credentials.

Chat to us about business security today on 1300 300 293

Letโ€™s get started

Get in touch today and speak with one of our friendly staff. We will take the time to assess your business requirements and provide an obligation-free quote.ย 

Facebook
Twitter
LinkedIn

CORE

All the essentials
$ 69 Monthly
  • 3 Hours Remote Support
  • Support Hours 8am - 5.30pm M-F
  • Best Effort Response Times
  • Staff Onboarding + Offboarding
  • Microsoft 365 Administration
  • Cyber Security Awareness Training
  • EDR/Antivirus - Endpoint Protection
  • Cloud Hosted Email Security
  • Critical Software + Security Updates
  • Server Performance Monitoring
  • 24 x 7 System Monitoring + Alerts
  • Daily Backup Monitoring
  • Monthly Executive Reports
  • Standard Operating Environment

Growth

Unlimited Support + Security
$ 89 Monthly
  • Unlimited Remote + Onsite Support
  • Support Hours 8am - 5.30pm M-F
  • Guaranteed Response Times
  • Staff Onboarding + Offboarding
  • Microsoft 365 Administration
  • Cyber Security Awareness Training
  • EDR/Antivirus - Endpoint Protection
  • Cloud Hosted Email Security
  • Critical Software + Security Updates
  • Server Performance Monitoring
  • 24 x 7 System Monitoring + Alerts
  • Daily Backup Monitoring
  • Monthly Executive Reports
  • Standard Operating Environment
  • Keeper Password Manager
  • Duo Multi Factor Authentication
  • DNS Filter Internet Protection
Popular

Enhanced

Unlimited Support 24x7 + Security
$ 159 Monthly
  • Unlimited Remote + Onsite Support
  • 24 Hours Support - 7 Days a Week
  • Priority Response Times
  • Staff Onboarding + Offboarding
  • Microsoft 365 Administration
  • Cyber Security Awareness Training
  • EDR/Antivirus - Endpoint Protection
  • Cloud Hosted Email Security
  • Critical Software + Security Updates
  • Server Performance Monitoring
  • 24 x 7 System Monitoring + Alerts
  • Daily Backup Monitoring
  • Monthly Executive Reports
  • Standard Operating Environment
  • Essential 8 Assess & Report
  • Monthly Vulnerability Scanning
  • Threatlocker Application Control
  • Keeper Password Manager
  • Duo Multi Factor Authentication
  • DNS Filter Internet Protection