Written by Duo’s Thu Pham
Microsoft announced they’re dropping password-expiration policies requiring periodic password changes in the draft release of their security configuration baseline settings for Windows 10 and Windows Server (version 1903). Expiring passwords means forcing the end of their use, and periodic password changes mean making users change them every set number (60, 90) of days.
Human After All
We (non-computers) do a lot of the following when it comes to passwords, as I’ve summarized from Microsoft’s blog post:
- Pick weak, easy-to-guess or predict phrase(s)
- Write them down nearby when forced to create complex ones
- Make tiny and predictable alterations to existing passwords when forced to change them
We are fallible when security is left to only our ability to manage or create passwords. Humans are kind of lazy after all, as we optimize our mental energy to distribute it wisely throughout our days. We’re all just doing our best, ok?
Security Implications of Passwords
There are many, here’s just a few:
- When passwords are stolen and dumped en masse, it’s hard to detect their use
- The dark web, or underground forums, often host password lists for sale that can be used in brute-force password attacks
- Passwords alone make it easy for attackers to log in to applications and servers remotely, unauthorized
- In the case of password reuse, one set of stolen credentials can give an attacker access to multiple accounts, sometimes across both personal and work accounts
What is Better for Security?
So if password expiration policies don’t actually help, what does?
- Using multi-factor authentication (MFA): The most basic and effective preventative technology to add another way to verify your identity (by layering on something you have or something you are)
- Password managers: Keep track of accounts, password changes, and generate complex and unique passwords that humans need not remember with their brains
- Long passphrases: NIST recommends using a string of words instead of special character, capitalization and other annoyingly arbitrary requirements, as I wrote about back in 2017 on NIST’s updates to password security guidelines in their SP 800-63-3 Authentication & Lifecycle Management
- Enforcing banned password lists: An interesting Microsoft feature for Azure that uses a certain algorithm to help users avoid choosing weak and vulnerable passwords (documentation on how this works)
- The (one day) passwordless future: The use of biometrics tied to user devices that entirely eliminate the need for something you know. Today, you can use this method as a second factor, tying in the use of Touch ID to verify your identity
Microsoft encourages organizations to “choose whatever best suits their perceived needs without contradicting” their baseline security guidance. This frees up organizations to focus on their own risk tolerance, based on technology and business needs, and shifts the focus away from password expiration, “an ancient and obsolete mitigation of very low value.”
Taking a more adaptive, flexible approach can result in more usable, actually-effective security that protects access across your environment.