Microsoft Now Discourages Password Aging in Windows
It looks like the old “best practice” of requiring periodic password changes may finally be coming to an end. NIST was first to do this over a year ago. Now Microsoft is recommending against password aging in their latest Windows security baseline. Though they do say that better solutions (like banned password lists, anomalous login detection, etc.) should be used instead.
“If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”
It’s a difficult decision to decide whether to age out your passwords or not, in actuality the guidance makes the decisions tougher. On one hand not changing a password means less trouble remembering and managing them, along with the ability to have more complex passwords because of this. But on the other hand, changing passwords wreaks havoc on hackers that may have stolen passwords or acquired them, maybe on the dark web.
Within PrivacyPro we leave these decisions up to our customers, the software accepts aging and prompting of users to change their passwords or not. We are not taking a position on the subject for our customers as it’s too close to call, but we respect the judgement of the security professionals and wish to make everyone aware of the different factors to be considered. We can say that it is no longer required to have to change them as we have counseled for years based on industry best practice, HIPAA does not mandate they be changed on some basis.