Microsoft tells IT admins to nix 'obsolete' password reset practice

The company now says forcing users to routinely reset passwords at pre-set time intervals doesn't work as well other security options.

Microsoft last week recommended that organizations no longer force employees to come up with new passwords every 60 days.

The company called the practice - once a cornerstone of enterprise identity management - "ancient and obsolete" as it told IT administrators that other approaches are much more effective in keeping users safe.

"Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value," Aaron Margosis, a principal consultant for Microsoft, wrote in a post to a company blog.

In the latest security configuration baseline for Windows 10 - a draft for the not-yet-in-general-release "May 2019 Update," aka 1903 - Microsoft dropped the idea that passwords should be frequently changed. The Windows security configuration baseline is a massive collection of recommended group policies and their settings, accompanied by reports, scripts and analyzers. Previous baselines had advised enterprises and other organizations to mandate a password change every 60 days. (And that was down from an earlier 90 days.)

No longer.

Margosis acknowledged that policies to automatically expire passwords - and other group policies that set security standards - are often misguided. "The small set of ancient password policies enforceable through Windows' security templates is not and cannot be a complete security strategy for user credential management," he said. "Better practices, however, cannot be expressed by a set value in a group policy and coded into a template."

Among those other, better practices, Margosis mentioned multi-factor authentication - also known as two-factor authentication - and banning weak, vulnerable, easily-guessed or frequently revealed passwords.