May was a momentous month, which marked a victory for sanity and pragmatism over irrational paranoia. Iâ€™m talking about Microsoft finally â€” finally! but credit to them for doing this nonetheless! â€” removing the password expiration policies from their Windows 10 security baseline.
To quote Microsoft:
"Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives â€¦ If a password is never stolen, thereâ€™s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem."
"â€¦If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they havenâ€™t implemented modern mitigations, how much protection will they really gain from password expiration? â€¦Periodic password expiration is an ancient and obsolete mitigation of very low value."
If you have a password at such an organization, I recommend you send that blog post to its system administrators.