Microsoft drops its “ancient and obsolete” password expiration policy

Microsoft Corporation revealed their plans to scrap the password expiration policy for Windows 10 v1903 and Windows Server v1903.

Announced in a blog post, organisations adopting the recommended settings will no longer force users to change their passwords on a recurring basis. Microsoft argued that when users are forced to create new unique passwords, users tend to write them down to prevent them from forgetting. Furthermore the passwords become easily predictable by creating small altercations to their previous existing passwords thus the state of password security becomes problematic.

Aaron Margosis, principal consultant with Microsoft Public Sector Services, described password expiration as an “ancient and obsolete mitigation of very low value,” and by removing it from the baseline settings, “organisations can choose whatever best suits their perceived needs without contradicting our guidance.”

“Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”

Microsoft strongly recommends implementing additional protections even though they cannot be expressed in the baseline settings.

Since 2016, the National Institute for Standards and Technology (NIST) has been recommending removing password expiration from security policies with the reasoning that it causes more harm than good.

“Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives,” said Margosis. Thus organisations can choose to implement other security practices such as multi-factor authentication, instead of setting an expiration period.

“Our baselines are intended to be usable with minimal if any modification by most well-managed, security-conscious enterprises. They are also intended to serve as guidance for auditors,” said Margosis.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.