MICROSOFT HAS ADMITTING something we've all know for years - expiring passwords don't help anyone.
Beloved by IT administrators, the idea that changing your password once a month will protect you from internet nasties has been a mainstay option for corporate Windows users for as long as there have been corporate Windows users.
Now it appears that Microsoft is set to shake things up, removing the option as a default and leaving it to individual organisations to switch it on manually.
In a blog post on Wednesday that runs through security policies for the forthcoming May 2019 Update to Windows 10, Aaron Margolis a Microsoft cybersecurity employee, whose Twitter bio says "Avoid Twitter, f*cking cesspool", explained the thought process in detail:
"If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous login attempts do they need any periodic password expiration? And if they haven't implemented modern mitigations, how much protection will they really gain from password expiration?"
The company's research suggests that the answers are "no" and "not much at all", hence removing enforcements in favour of an optional expiry.
In short - a strong password is better than a constantly reset one. It's an acknowledgement from Microsoft of something that Bill Burr, the man who created the policy, is said to even have regretted himself, suggesting it reduces the usability of systems where it is applied - and he's not wrong.
The news will come as a huge relief to anyone stuck with an auto-expiring password, because now that Microsoft has made the first move, it might actually get the message through to overzealous administrators that the whole premise is out of touch with the reasons it was introduced in the first place, which might mean that it gets removed from other software packages and websites too. We can but hope.
Microsoft has experimented with a no-password option in Windows 10 S Mode. μ
And it'll even undo the damage
Affected employees have 60 days to find a new home at the company
Doesn't inspire confidence in HongMeng's appeal
But don't get too excited if you've already got one