As part of a major Windows 10 update coming in May of this year, Microsoft will change its password policy so that users are no longer forced to periodically change their passwords.
For a long time, policies of this kind were considered a fundamental security standard, but in recent years security professionals have been calling on companies to get rid of this practice, arguing that it actually encourages risky security behavior. This is because users tend to respond to forced password changes by picking new passwords that are very similar to the old one and, if possible, alternating between two similar passwords. Another problem is that users tend to forget their new password, which may even encourage them to write it down somewhere.
Microsoft is aware of these issues. In fact, Aaron Margosis of Microsoft justified the policy change by stating that”[p]eriodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.”
Passwords are widely considered to be a highly flawed security control in general and firms are increasingly looking for alternative ways to protect user accounts.
Read more: Windows 10: Microsoft ditches its ‘ancient, obsolete’ expiring password policy
