Microsoft admits that password expiration policies are a pointless security measure. The company has published an explanation of the draft release of its security configuration baseline settings for Windows 10 1903 and Windows Server 1903. This document sets guidelines for Group Policy baseline settings, and with this latest draft, there are some significant changes. Among the most noteworthy is a change to no longer set password expiration policies that require “periodic password changes,” a long-standing baseline that Microsoft says has become “an ancient and obsolete mitigation of very low value.”
The blog post goes on to explain as to why Microsoft is dropping the password expiration policy, noting first that “we are not proposing changing requirements for minimum password length, history, or complexity:”
“Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”
In addition to the news about password expiration, default disabling of built-in Guest and Administrator accounts are also being discussed for elimination.
Note that removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled. Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.
Microsoft is proposing to drop the password expiration policy for Windows 10 version 1903 and Windows Server version1903 but also insists that users should keep using strong passwords and any available additional protections in order to keep their data safe.