Will the Constant Change of Passwords Become Obsolete?
If Microsoft's new security recommendations will be followed, passwords should not be given an expiration date in the future and should not have to be constantly renewed. For the software company, password expiration policies are an out-of-date measure of very low value. For this reason Microsoft removes this setting from the Security Configuration Baseline policy for the new version 1903 of Windows 10. Instead, organizations need to define their own timelines in the Basic Security Policy.
For Microsoft, the periodic exchange of passwords only provides low protection against the theft of a valid password. However, users are often overwhelmed by this procedure. Either they choose easily guessable passwords or tend to change them with simple, predictable changes.
This announcement is not really new. Already two years ago, the US National Institute of Standards and Technology (NIST) published a recommendation that not only advocates the abandonment of expiration policies, but also questions the benefits of complexity in passwords. Instead, companies should compare user passwords with known or frequently used passwords and, if necessary, block them from being used, as well as use multi-factor authentication.
The software company can only explicitly recommend these alternatives and offers its own modern authentication methods and practices with Office 365 MFA, Azure MFA or Azure Password Protection. Microsoft does not want to make these recommended alternatives part of its basic security policy at all, especially as they could not be implemented with group policies.
The Basic Security Guidelines are best practice recommendations from Microsoft for securing Windows operating systems and usually consist of a combination of Group Policies, scripts and reports, and are available for free download. The software company has just released a first draft of the basic security policy for Windows 10 19H1 and Server 2019.
Source: Microsoft Security Guidance blog