Microsoft Says Forced Password Resets Don’t Improve Security

Microsoft Says Forced Password Resets Don’t Improve Security

Anyone who has spent more than a few weeks working in a corporate environment has dealt with the frustration of mandatory password changes. However, those days may finally be coming to an end. In a recent blog post, Microsoft admitted that compulsory password changes don’t enhance security and may actually make enterprise networks less secure.

For decades, the baseline password practices Microsoft provided to customers suggested forcing employees to change their passwords every 60 days. According to Microsoft’s Aaron Margosis, that technique is an “ancient and obsolete mitigation of very low value.” It comes from an era in which people might share passwords, and in time, a password might leak out of the organization. Today’s password breaches happen at the speed of light as malicious actors steal data and use GPUs to guess passwords. Assuming that a password is stolen, isn’t 60 days a rather long time to allow the thief to use it anyway? Anyone who’s going to do real damage will have done it long before the password reset rolls around.

When you force users to change passwords frequently, they’re likely to choose passwords that are easy to remember. Research shows that such passwords are probably the easiest to crack in the event someone steals a hashed database and unleashes an army of GPUs on it. For example, people use dictionary words with numbers substituted for similar looking letters. If you make them change that password, they’ll probably just make predictable changes that are just as easy to crack.

Microsoft Says Forced Password Resets Don’t Improve Security

Margosis says that implementing requirements like banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous login attempts make forced password resets obsolete. Passwords are inherently problematic for security, so making people choose more bad passwords isn’t the best approach. Margosis points out that Microsoft is not changing its guidelines on password length, complexity, or history. The most robust passwords are randomly generated, and the longer they are, the better.

While Microsoft will stop telling organizations to force password resets, it won’t be taking its own advice right away. The password reset timer in Windows Server products is still 42 days. It wouldn’t be surprising if Microsoft changes that default in future versions, though. Nevertheless, IT workers who want to do away with tedious and unnecessary password resets will have something to show higher-ups to help make their case.

Continue reading

The Best Smart Home Security Systems
The Best Smart Home Security Systems

Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw

Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.