Microsoft is proposing to remove password expiration as a recommended configuration for Windows systems
Microsoft is proposing to remove password expiration as a recommended configuration for Windows systems
[UPDATE] Microsoft recommendation to NOT force user password changes on a schedule is now their official published security guidance for Windows customers. This obviates decades of common-knowledge, in response to evidence it’s actually harmful to security blogs.technet.microsoft.com/secguide/2019/…
Although NIST and others precede this and deserve that credit, I think it’s worth taking a moment to recognize this moment in time as truly a fundamental change in the industry.
@SwiftOnSecurity My counterpoint: Basically the guidance is not ONLY disabling password expiration. Read the and implement ALL of the guidance. infosec.engineering/requiring-peri…
@SwiftOnSecurity @Aykay It is a gift of the gods - the policy is also internal.
@SwiftOnSecurity @SteveBellovin Ha ha ha ha ha. Hey corporate security morons, check this out.
@SwiftOnSecurity They also adjusted their internal policy to be one year password change instead of 70 day forced password changes.
@SwiftOnSecurity If commercial Windows customers handle that guidance the same way they handle updates, it's only a matter of a few decades until it's widespread practice.
@SwiftOnSecurity And let's face it - Most scheduled password updates seem to result in the user adding either another '!' or the next number in the sequence to the existing password. Not exactly raising the entropy there. 😏
@SwiftOnSecurity "Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value." - Microsoft (@AaronMargosis) Here it is. The hill I'm gonna die on come Monday.
@SwiftOnSecurity "... if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you." - Microsoft (@AaronMargosis) ^ This is gold. GOLD!
@SwiftOnSecurity NIST passed this recommendation last year, waiting it to filter down through enterprise
@SwiftOnSecurity Woohoo! I wonder if the PCI council are planning to change any time soon.
@SwiftOnSecurity @MaarNu Still don't agree that it's as clear as 'password changes are bad', it's more that passwords are bad.
@SwiftOnSecurity Now how long before the compliance standards and auditors catch-up?
@SwiftOnSecurity NIST 800-63B makes that very same recommendation (and probably was the document that prompted that policy change from MS). Mandatory change in the face of evidence of compromise, is still standard, of course.
@SwiftOnSecurity WHY ON EARTH has MSFT not purchased a password manager and tightly integrated it with AAD, Win10, and Office 365? This is the most obvious acquisition. There are 3 that are possible, KeePass, Dashlane, and 1Password. LastPass is great but I don't see prying it away from LogMeIn.
@SwiftOnSecurity When forced to change passwords people tend to use “something easy to remember followed by a number”.
@SwiftOnSecurity "Guess I'll just use the same password but with a THIRD exclamation point."
@SwiftOnSecurity Fricking finally. Forced changes just lead to users creating simpler passwords, in my experience.
@SwiftOnSecurity Awesome! I expect that by 2259 my workplace will get around to adopting this practice, just after they have finished transitioning the last MS Acces DB to a SQL Server 2008 instance.
@SwiftOnSecurity now I just need clients of ours to stop mandating password expiration in their security requirements for us.
@SwiftOnSecurity Any idea what this should mean for shared accounts, or machine service accounts? This seems to address user passwords specifically
@SwiftOnSecurity @__jakub_g FI-NA-LY so sick of this nonsense
@SwiftOnSecurity Common knowledge isn't...common. There is published research for and against regularly changing passwords.
@SwiftOnSecurity Password cycling is dumb. Have different passwords for each site.
@SwiftOnSecurity Wait so scheduled password changes are good or not?
@SwiftOnSecurity Why are we still using passwords?
@SwiftOnSecurity Someone had better explain this to the PCI Security Standards Council. PCI-DSS V 3.2.1 8.2.4 . @PCISSC
@SwiftOnSecurity @alistairstead46 i guess the temptation to change from password 1 to password 2 is a little too much!
@SwiftOnSecurity This is a great move, I've been trying to get this through at work but had lots of resistance. Now a big and recognisable name such as Microsoft is behind it, we should be good to go! With the caveat that, standards like PCI still require password changes every 90 days!
@SwiftOnSecurity My ISO will have a brain aneurysm if he reads that.
@SwiftOnSecurity What would be your recommendation for orgs who currently cannot reliably monitor for password misuse? I argue that expiering the password in this case is better than blindly following recommendations...
@SwiftOnSecurity I have to log into work's performance review site every three months. The password expires after two months. 😔