Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Windows Microsoft Operating Systems Privacy Technology

Microsoft Drops 60-Day Password Expiration Policy (bleepingcomputer.com) 75

Microsoft is dropping its 60-day password expiration policy starting with the Windows 10 May 2019 Update. "Once removed, the preset password expiration settings should be replaced by organizations with more modern and better password-security practices such as multi-factor authentication, detection of password-guessing attacks, detection of anomalous log on attempts, and the enforcement of banned passwords lists (such as Azure AD's password protection currently available in public preview)," reports Bleeping Computer. From the report: Microsoft's Aaron Margosis states that the password expiration mechanism which requires periodic password changes is in itself a flawed defense method given that, once a password is stolen, mitigation measures should be taken immediately instead of waiting for it to expire as per the set expiration policy. In addition, the soon to be removed policies are "a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity."

The removal of the password-expiration policies without the addition of other password-oriented security configurations does not directly translate into a decrease in security but, instead, it simply stands as proof that security-conscious organizations need to implement extra measures to enforce their users' security. As Microsoft further detailed, "to try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies -- we are not proposing changing requirements for minimum password length, history, or complexity."

This discussion has been archived. No new comments can be posted.

Microsoft Drops 60-Day Password Expiration Policy

Comments Filter:
  • THANK YOU (Score:5, Interesting)

    by darkain ( 749283 ) on Thursday April 25, 2019 @05:15PM (#58492556) Homepage

    FUCKING THANK YOU!

    Seriously, the amount of bullshit, short, easy to guess passwords that are reused and have a slight permutation (Pass+Month+Year) in my organization just because of bullshit policies set by outside vendors is just insane! I've been trying to fight it for years, but said outside vendors don't give two shits.

    • Don't even need a baseline password, setting it to the day you reset it like April-25-2019 would pass most requirement filters...

      Alternatively, PassWord1, PassWord2, PassWord3, also work just fine...

      And if efforts are made to avoid such permutations, the resulting password will be difficult/pointless(if it's changing in a month anyway) to memorize resulting in people writing it down and sticking it on a note under the keyboard.

    • Inside Microsoft we are preaching "Get rid of passwords" and "Passwordless strategy" to anyone and everyone that will listen. Windows Hello PINs are so much better. If you can switch to that, more power to you.

      (I work for Microsoft supporting Eenterprise customers. This is not paid content, and represents my opinion, not theirs. Yes, I realize working for the man makes my opinion invalid.)

      • by darkain ( 749283 )

        Yeah, no thanks. I'd rather *NOT* use biometric information in any sort of database as a method of authentication. I'm just fine using pinned Yubikeys and other types of physical security tokens for access.

        • With Windows Hello the biometrics never leave your machine. They are stored locally by the TPM.

          That said, I understand your hesitance. It's not like you can get a new face if the current one is pwned. I, personally, prefer PINs instead. It's still specific to one single machine for something I know (pin)+ something I have (the machine) security, but I can change a pin.

          • by darkain ( 749283 )

            One of my large issues is that I'm not on "one device" - I'm in a business where people are not assigned machines, rather there are machines all over the place and we're constantly on the move throughout the building, accessing which ever device is closest. We'd either need to have biometrics stored on EVERY machine, stored centrally... or just use an authentication key/card. Which seems most reasonable? Also, I don't trust TPM devices to be secure enough.

    • because of bullshit policies set by outside vendors

      Wow, you guys roll out Windows with default policies set?
      I mean it's not like this has been completely customisable and in control of your sys admins since the days of Windows NT or anything /sarcasm.

    • by jabuzz ( 182671 )

      The best I have seen is the SMM module on a Lenovo d2 chassis (its a lights out management thing on a cloud chassis, 4 servers in 2U). By default the password expires every 90 days. So basically you have to change the password every fecking time you actually use the thing. Turns out you can disable it, but not through the web interface, no you have to use random barely documented raw IPMI commands. I mean jesus wept, whoever came up with that scheme needs taking round the back and given a really good beatin

      • by darkain ( 749283 )

        Yup! This is just like income tax software. They expire after X number of days too, but we only do our fucking taxes once a year! of COURSE its going to be expired every single time!

  • Everyone is moving to multi-factor authentication. That is more secure and good, but it makes it harder for opensource/volunteer efforts. Sending all those text messages is an extra expense.
    • by EvilSS ( 557649 )
      So don't use insecure SMS MFA then. There are opensource MFA applications out there.
      • If you don't provide it over a separate channel, it's pointless.

        If it's not something other than a code someone knows (or has added it as a seed to a device / "app" that generates a code based on the seed and the current time) it's not "two factor".

    • Everyone is moving to multi-factor authentication. That is more secure and good, but it makes it harder for opensource/volunteer efforts. Sending all those text messages is an extra expense.

      Text messages are a bad solution anyway, because carriers can be social-engineered to reroute text messages.

      Open source and volunteer efforts should instead use time-based password and/or security key second factor auth. Time-based password solutions are standard (RFC 6238) and easy, there are free and open source apps that provide them, like FreeOTP. Security key solutions are also standard (FIDO) and easy. They require a physical hardware security key that costs about $30 for each user, which isn't c

      • FreeOTP looks good, I'll check it out.
        • by skegg ( 666571 )

          I second FreeOTP. (As if swilden's endorsement didn't suffice.)
          Have been using it for years on both Android and iOS.

    • MFA sucks. It does nothing but harass the end users who get frustrated at having to identify themselves every single time they want to use a device.

      It's no wonder less and less work gets done as the years pass. We keep coming up with new and better ways to make getting work done as difficult and complicated as possible.

  • by swillden ( 191260 ) <shawn-ds@willden.org> on Thursday April 25, 2019 @05:21PM (#58492602) Journal

    This is a good thing, and every other organization that is enforcing password rotation policies should get a clue and do something better.

    The theory behind password rotation is that if it takes an attacker longer to brute force search the password than the length of the rotation window then the attacker can never succeed. Another theory is that if an attacker does gain access but chooses to use it surreptitiously so the user doesn't realize the account is compromised, the rotation ends the compromise.

    There's nothing factually incorrect about these theories, but they ignore human realities. The reality is that users cannot -- and will not, even if they can -- create and memorize a new, good password every 2-3 months. Especially not if they have multiple accounts with required rotations. Frequent rotations therefore force users to use worse passwords, or passwords that are simple variations of one another, or to share passwords across multiple accounts (I once had a co-worker proudly explain to me that he had a single password for every one of his work and online accounts, and that whenever one of the systems forced him to change it, he changed it in all of them, always keeping all of them in sync), or to write them on sticky notes tacked to the bottom of their keyboard or...

    Basically, rotation is too hard for people, so they work around it, usually in ways that are far more likely to result in a breach. It's just a bad idea.

    The right solutions to improving password security are the ones mentioned, multi-factor auth and the detection of anomalous login attempts, plus machine certs, so that only known clients can log in. Oh, and for Pete's sake get a decent SSO solution, so your employees only need one good password for everything at work, and you can focus your efforts on applying countermeasures to make sure that is really secure.

    Once we've killed the password rotation stupidity, we should next take aim at the password complexity silliness.

    • by Anonymous Coward

      Oh, and for Pete's sake get a decent SSO solution, so your employees only need one good password for everything at work, and you can focus your efforts on applying countermeasures to make sure that is really secure.

      ABSOULY-F-LUTLELY! The safest password entry screen is the one I don't enter my password into. Phisihing attacks are a vastly greater risk these days than brute force attacks (in my opinion) - so if I don't enter my password to any website except for initial windows logon (or at least, as few

    • The theory behind password rotation is that if it takes an attacker longer to brute force search the password than the length of the rotation window then the attacker can never succeed.... There's nothing factually incorrect about these theories, but they ignore human realities.

      That particular theory actually is factually incorrect. Given either uniformly-distributed passwords or a randomized search order the probability of any particular guess matching the current password is a constant, so an attacker is equally likely to stumble onto the correct password whether or not it's changed. (I suppose it might work if you're only concerned about attackers following a fixed search order and starting over whenever the password changes... but how realistic is that? Attackers shouldn't eve

      • The theory behind password rotation is that if it takes an attacker longer to brute force search the password than the length of the rotation window then the attacker can never succeed.... There's nothing factually incorrect about these theories, but they ignore human realities.

        That particular theory actually is factually incorrect. Given either uniformly-distributed passwords or a randomized search order the probability of any particular guess matching the current password is a constant, so an attacker is equally likely to stumble onto the correct password whether or not it's changed.

        Assuming uniform distribution, for a given password entropy and a given password test rate, there is a specific amount of time it will take to search the entire password space. If the password change interval is longer than that, then the attacker is guaranteed to be able to find the password. If the password change interval is shorter, then the attacker will find the password with a probability equal to password change interval divided by password search time.

        Of course, various techniques can be used t

        • Assuming uniform distribution, for a given password entropy and a given password test rate, there is a specific amount of time it will take to search the entire password space. If the password change interval is longer than that, then the attacker is guaranteed to be able to find the password.

          Up to this point we're in agreement.

          If the password change interval is shorter, then the attacker will find the password with a probability equal to password change interval divided by password search time.

          I think what you're referring to here is the probability that the attacker will find the password within the password change interval. However, this isn't the most important metric; that would be the average rate at which an attacker finds a working password, or—from the opposite perspective—the probability of finding a working password within a fixed period of time.

          Say an attacker can brute-force all possible passwords in some fixed time T. The attacker check

  • I got suckered in to creating a Microsoft account when I got Windows 10 - I heard you don't really have to do that, but whatever. I don't use it for anything.

    One time they told me my password sucked and I should change it and they were right. It wasn't as bad as "123456", but at least I could remember it. That was well over a year or two ago, maybe even longer than that and I still have the same password.

    The thing I worry about with all the free email accounts I have is that they will expire if I don't l

    • by _merlin ( 160982 )

      It's referring to default password policy for Active Directory LDAP/Kerberos services on Windows Server, not for Microsoft accounts.

  • by qwerty shrdlu ( 799408 ) on Thursday April 25, 2019 @05:31PM (#58492646)
    Sales of Post-it Notes will be going down.
  • by Anonymous Coward

    I've got a "pretty good" password that I use that has a cycling "change" part in the middle that I've used for the years that work has demanded the silly "change your password every 90 days" thing. (No, it's not pass(number)word) I'd use my favorite password manager and let it generate some crawling horror of a password, but some of the web page login popups disable paste so it has to be something I can type in. (THE STUPID! IT BURNSSS!!! but they won't change that.)

    They've gone to Microsoft MFA, and e

  • While we are at it, can we discuss the inanity of most password recovery questions?
    - What is your favorite movie?
    - What is your favorite song?
    - What is the first name of your best friend?
    Might as well be "What time is it when you set your password recovery question?" or "What will you have for lunch next week?"

    If you are going to have password recovery questions (which is a bad idea in general...use two-factor auth instead), then at least make the values immutable so we can actually remember them.

  • Changing passwords regularly is pointless- it doesn't provide any benefit to anyone and it doesn't make you "safer" in any real way.

    Disagree? Fine- change my mind. Explain how rotating passwords on some kind of regular cadence makes you safer.

    • by Bert64 ( 520050 )

      The theory is to reduce the usable window of time that a password can be used should it become compromised. Due to various weaknesses in windows, there are all manner of ways to acquire user's passwords or passable hashes thereof and the user will usually have no idea this has happened.

      In practice, making people change their passwords regularly encourages weak passwords and password reuse between different devices, and even a short window of time where you have one user's password allows ample opportunity t

      • The theory is to reduce the usable window of time that a password can be used should it become compromised.

        I understand the idea behind that, but if that's the rationale then we should all be changing out passwords hourly. Oftentimes in an actual compromise it only takes a few minutes to get in and plant back doors for use later. After that it doesn't matter, the damage is done.

        And yes, I'll admit there are instances where a few minutes or hours isn't enough time to whack the system, but for a lot of hacks all they need is enough time to upload some backdoor scripts or create a new account to use.

        If administrato

        • by Bert64 ( 520050 )

          Yes it doesn't particularly make sense, just like the "minimum password age" setting is intended to prevent password reuse when a more sensible solution would be to remember old passwords for a fixed length of time rather than a fixed number of old passwords.

          The problem is people aren't willing to think for themselves, various guides online tell them to rotate passwords so thats what they do without ever questioning the reasoning behind it or wether its applicable.

  • It took me months to convince our "security officer" to fix our bad (and annoying) password policy. For some reason this long outstanding ticket even passed various external audits. I think in the he just removed it because I annoyed him enough, not because he was convinced it was a bad policy.

  • by Anonymous Coward

    Because the many non-skilled workers will not detect a password leak, they will not call support or service desk to admin an error. And inside the company we do have shoulder surfers, passwords being shared etc. Malware can extract hashes for offline cracking.

    Phishing still exists, Microsoft ATP will not remove the phishing mails, and categorize lots of legitimate mails as phishing, so for a company like ours, with working SPF, DKIM and DMARC, that really did not give any value.

    We are looking at more securi

  • I guess they couldn't find 250.000 people to (wo)man the helplines.

  • I'd gotten used to incrementing a number in my password by 1 with each expiration warning.
  • where I work they sill have that old mentality to use very easy password and every employee don't give 2 shits about it too. Man some of the employee's when they call the call center to reset a password is bitching at the poor sap at the helpdesk cause "their password system" is too strong so they are losing time by calling the helpdesk. I mean were talking about people who write passwords on paper cause they can't remember their own last week. Personally, on my side, I do welcome this change but for all ot
  • Obligatory shoutout to Bill Burr [gizmodo.com]
  • I have a couple of computers with Windows 7 Pro installed (used Dells with OEM COA stickers) which I basically only use as glorified game consoles. So naturally I leave them set to auto-login. Guess what happens when Windows 7 decides that your password has expired (by default, naturally) when you are set for auto-login? Apparently it decides that it has to contact a domain server when you try to change your password! Yes, on a stand-alone box.

    After learning more than I wanted to about registry hives in a

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...