New Windows 10 will drop password expiry policies

(Image credit: Image source: Shutterstock/scyther5)

Microsoft just announced that with the Windows 10 May 2019 Update, it will be dropping the password expiration policy and replacing it with new, more contemporary solutions.

After v1903 gets released, users will be able to set up two-factor authentication, will be able to detect cyberattacks that use password guessing techniques, as well as track anomalous attempts to log in.

Users will also get to enforce a list of passwords that are banned for use.

"While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values," Microsoft said in an announcement.

One of the reasons why Microsoft decided to ditch the mandatory password change practice is that, as it says, it makes no sense.

If a password is breached, users should act immediately, not after they get forced to do so by the operating system. In that case, a mandatory password change every once in a while becomes redundant.

Also, these policies that are already one foot out the door are "a defence only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity."

Microsoft also says this doesn’t mean passwords should be any different. It’s just trying to give everyone more options.

"To try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies – we are not proposing changing requirements for minimum password length, history, or complexity," it added.

Image source: Shutterstock/scyther5