Microsoft released a new announcement that they are preparing to stop the Password expiration policies for Windows which required users to periodically change their password.
Password expiration policies are one of the windows Password security future that only prevent against the probability that a password (or hash) will be stolen.
If the password is never stolen then there is no need to expire the password and the user have evidence that the password is stolen then they immediately change their password.
Even if the password has a certain periodical expire date, (Windows default is 42 days) stolen password will be already misused by the attacker before it reaches the password expire date.
All these points were put into the place, Microsoft feels that there will be no password expiration policy will help you against the password attack.
A blog post published by Microsoft explained, “When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use. “
Currently, Microsoft enforced baseline says 60 days – and used to say 90 days because forcing frequent expiration introduces its own problems.
Other Best Options than Password Expiration Policies for Password security
In this case, Microsoft points out the recent scientific research that there is
long-standing password-security alternative practices such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication.
banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous
“if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?” Microsoft stats in the blog post.
By dropping the password expiration policies doesn’t propose to change the requirements for minimum password length, history, or complexity.