Microsoft will remove password expiration policy; they think it’s useless

The technology giant Microsoft plans to eliminate the so-called password expiration policy, by which the company requests Windows users to change their login keys periodically, reported vulnerability testing specialists.

The company announced this proposal through a publication on its official blog; in the text, Microsoft mentions that its standard security settings will stop asking users to change their passwords in weeks or months intervals.

This first draft of new company security policies includes some recommendations that would impact corporate network users, with the primary purpose of avoiding misuse. In addition, the company aims to restrict some features inherent to the Windows operating system that might be useful for malware attacks.

“Microsoft believes that its current password expiration policy is an obsolete and a really non-functional security measure in practice; they no longer believe that it is worthwhile to keep encouraging it”, mentioned the vulnerability testing specialists.

On the other hand, a spokesman for the company stated: “This policy only defends users in case their active password is stolen; if passwords are never stolen, you do not need to set an expiration date; in case of stolen password, users would do a password reset, not just wait it to expire”.

According to the vulnerability testing specialists, Microsoft wants to promote among its users the implementation of passwords secure enough to eliminate the need of constantly change them, anyways, it has proven to be a nearly useless security policy.

Specialists of the International Institute of Cyber Security (IICS) say that such policies are not secure because, if a password is stolen, a threat actor who knows the current password could be able to easily guess the next password.

Other organizations, such as the National Institute of Standards and Technology (NIST) have also eliminated this kind of password-protection policy, considering that its impact on users’ security could in fact be considered negative.