News

Microsoft: Password Expiration Policies Are 'Low Value'

• By Kurt Mackie
• April 29, 2019

Microsoft is pushing against conventional wisdom when it comes to organizations enforcing periodic password expirations to secure their Windows systems.

Last week, the company encouraged doing away with such policies, arguing that people only alter their passwords predictably when they are compelled to regularly change them. Instead, organizations should use a solution that avoids the use of commonly guessed passwords, as well as multifactor authentication, which is a secondary means of verifying a user's identity, according to Microsoft.

The company made its case in a draft of its latest security baseline advice for users of Windows 10 version 1903 and Windows Server version 1903. Best practices for organizations get compiled in these security baseline guides. Microsoft hasn't commercially released version 1903 of Windows 10 or Windows Server yet, but possibly they'll reach the "targeted" channel-release stage sometime in late May.

Password Protection and Multifactor Authentication
"Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication," stated Aaron Margosis, a principal consultant with Microsoft's Global Cybersecurity Practice, in the announcement of the draft.

Microsoft had outlined a similar position last year, when it also recommended that passwords should be set to never expire. Organizations should have a way to ban commonly guessed passwords, as well, but Microsoft argued against requiring long passwords. Moreover, organizations shouldn't require the use of extended characters in passwords, Microsoft contended.

Microsoft's security baseline recommendations are just minimal recommendations for most enterprises using Windows. They're associated with the Group Policy settings that exist within Windows. Consequently, the advice to use external solutions -- such as Azure Active Directory password protection and multifactor authentication, which use Microsoft's cloud-based services -- are beyond the guideline's scope, Margosis had explained.

Microsoft just thinks that enforcing periodic password expirations would be not very effective, so it's not planning to include that advice in its security baseline documentation, according to Margosis:

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.

If Microsoft were to stick with recommending periodic password changes, then organizations might get "dinged in an audit," without getting any true security protections, Margosis added.

Microsoft's position against periodic password changes likely contradicts current IT practices. In a comment, a reader of Microsoft's announcement stated that requiring periodic password changes "helps mitigate the real risk that a user password that is captured or breached at a particular time, is not still valid an indefinite time later." In reply, Margosis commented that organizations can still require periodic password changes if they want, but it just won't be part of Microsoft's baseline recommendations.

Other New Security Policies
The new security baseline recommendations also are ushering in a few added policies. For instance, there will be a new "Enable svchost.exe mitigation options" policy for Windows 10 version 1903 and Windows Server version 1903. It'll enforce that "all binaries loaded by svchost.exe must be signed by Microsoft," and it'll disallow "dynamically generated code." IT pros should ensure that this policy doesn't cause conflicts with "third-party code" and "third-party smart-card plugins," Margosis warned.

Microsoft also is removing its past recommendation of using the strongest encryption option with BitLocker-encrypted drives. The use of 128-bit encryption in BitLocker is unlikely to be broken, Microsoft argued.

Microsoft is proposing to drop its past security baseline recommendations that built-in Administrator and Guest accounts should be disabled. It just should be an option to enable them, Microsoft argued.