Microsoft: Changing passwords frequently is an archaic and obsolete request
Microsoft changes security policies with Windows 10 v1903 and Windows Server v1903. From the new versions, the password change request periodically disappeared from the security guidelines.
Periodic password changes can cause more harm than good. To say it was Microsoft in a post published at the end of May and back in vogue in these hours thanks to some specialized American sites, in which we read that the requirement is only a form of ” mitigation of little value, archaic and obsolete “. This is a practice that Microsoft has continued to recommend for decades.
In the post, Microsoft stated that with May 2019 Update has removed the password change from the basic security requirements. The reason for the change of perspective on the subject is that over time, it has been amply demonstrated that the passwords that are easier to ” crack ” are those that are easy to remember, such as names or quotes from movie phrases or books.
Attackers often use dictionaries of millions of words that are fed to GPU optimized for the purpose of ” guessing ” possible passwords by trial and error, starting from any stolen hashes, if present, that represent clear-text passwords.
Furthermore, it is not enough to even exchange letters with similar numbers (the ” o ” with 0, for example, or ” i ” with 1), since it is very easy to create ” rules ” to simply change traditional words with the numbers. To date, passwords considered to be the safest are those that contain at least 11 characters, better if chosen randomly between upper and lower case letters, symbols and numbers. The same security experts have stressed that changing passwords periodically can be more deleterious than anything else as it pushes users to choose weaker passwords from time to time.
Over the years, various companies have continued to recommend periodic changes to the password, including Microsoft. In his post, the company now notes that ” the expiry of the periodic password is a defense only against the probability that a password (or hash) is stolen during its validity interval and will be used by unauthorized users. If a password is never stolen it is not necessary to replace it “. And, if we consider that the password on Windows is now configured at 42 days, it is clear that this practice is useless if it has been stolen.
The changes do not concern requests for length, history and complexity of the password, with the company continuing to recommend multi-factor authentication even in the case of extremely complex passwords that are considered to be secure.