Microsoft has admitted that having passwords expire is not a useful security measure. The company announced that it will be dropping its Windows policy that requires users to periodically change their login password as a result. You can see the full story here.
I thought I was the only one that changed my password by one digit. #microsoft #password #policy https://t.co/I0MxyQkFW2
— Eric Serno (@ericserno) April 26, 2019
Expert Comments:
Rachael Stockton, Senior Director Product Marketing, LastPass by LogMeIn:
“We’ve long advised against too frequent password changes, so we are pleased to see Microsoft’s new proposal to eliminate its password expiration policy.
Security doesn’t have to create more hurdles for employees. For years, security professionals have recommended changing passwords every 30, 60 or 90 days and in offices worldwide, IT policies require employees to change their passwords on a regular basis. If you’re like most people and have nearly 200 accounts to keep track of, changing them every month or quarter just isn’t realistic.
Such strict corporate policies also tend to lead to employees reusing passwords or making them as memorable as possible, leaving them more vulnerable to a hack. That doesn’t mean people should never change their passwords. Especially if multi-factor authentication is not enabled, people should aim to update passwords at least once a year as a precautionary measure to prevent unauthorised access, and of course if their credentials were involved in a 3rd party breach.
The most secure passwords are long and randomly generated, which can still be difficult to create and remember. Using a password manager kills two birds with one stone, as they can be used to both generate and store passwords in a secure vault, where they’re organised and encrypted for safekeeping. LastPass even offers an automatic password change feature to save time and effort when it’s necessary to do so.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.