Windows 10 passwords will no longer expire, according to a recent Microsoft blog post. The post announced updated security measures for Windows 10 v1903 and Windows Server v1903, but one of the most controversial changes is the removal of password expiration policies.

Password security is not a new issue, with many people either using the same password for every account, or easy to hack passwords like “123456,” “qwerty,” “password,” or “111111.” These habits caused many organizations to enforce employees to change their passwords every prescribed amount of days.

SEE: How to reduce user account lockouts and password resets (free PDF) (TechRepublic)

Microsoft was an organization that initially took this approach, forcing Windows users to change their passwords on a regular basis. It’s no secret that these policies are not favored by users, causing more headaches and bad practices than protection.

The majority of consumers (75%) said they are stressed by the number of passwords they have to remember, causing them to only slightly change passwords, or frequently forget them, according to a recent Kaspersky report.

Microsoft’s outlook

The entire practice of password expiration is only helpful based on the assumption that the password would be stolen during that interval of validity, according to Microsoft’s post. Now, if the password is never stolen, then there is no need to have it expire, it continued.

“What should the recommended expiration period be?” the post posited. “If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?”

Is it a good idea to remove password expiration?

The short answer? Yes, according to Avivah Litan, vice president and distinguished analyst at Gartner.

“It’s a feasible and very welcome plan. Forcing users to change their passwords periodically works against security—it means consumers have to write them down to remember them and it does nothing to stop hackers from stealing current passwords,” Litan said. “Hackers generally use stolen passwords very quickly, and password complexity does little to prevent use of stolen passwords either, since hackers can just as easily capture or steal a complex password as they can a simple one.”

Hopefully, this move from Microsoft will inspire other organizations to follow suit, and perhaps even remove interactive passwords altogether and move to more secure forms of authentication, Litan said.

“Finally a company—i.e. Microsoft—is using independent reasoned thinking rather than going along with the crowd mentality when the crowd’s less secure password management practices are—however counterintuitive—less secure,” she added.

Alternatives for passwords

Ideas for completely replacing passwords have been recently thrown around, including the use of biometrics, zero login, implanted microchips, and DNA identification. With advancements in technology, many professionals think there are better, more secure and individualized ways to execute authentication.

However, there is no single sure-fire solution, Litan said. “Biometrics on their own can also be hacked,” she noted. “What is more secure (and private) is another method Microsoft and many other organizations are starting to support—Decentralized Identities—where users control their own identity and authentication information.”

At the end of the day, authentication must be layered and completed in a secure way that only the user can access, Litan added.

For more about Microsoft’s elimination of password expiration, check out our sister-site ZDNet’s coverage.

Also see


Image: iStockphoto/mangpor_2004