All You Need to Know About Microsoft’s Decision to Drop Password Expiration Policy
May 14th, 2019
Microsoft has officially dropped its 60-day password expiration policy from its security baseline, a group of Microsoft-recommended configuration settings that clarifies their security impact, following this month’s (May 2019) Window’s 10 updates.
Microsoft’s decision falls on the grounds that intermittent password expiration is an “ancient and obsolete mitigation of very low value”. In other words, intermittent password expiration only acts as a defence mechanism if there is a high possibility that a password would be stolen. Furthermore, if there is evidence that a password has been stolen, it is crucial that passwords should be updated straightway; as any period set for expiring passwords may still be a liability. To avoid confusion, Microsoft is only removing password-expiration policies; password length, history and complexity will remain the same.
Removing this password expiration policy from their baseline instead of offering an alternative method, allows organisations to choose their security measures, something that Microsoft strongly recommends users doing to avoid any security issues.
In response to the announcement from Microsoft, Shane Shook, Chief Strategy Advisor at Secrutiny, said: “Password change policy is an important risk management and ITC governance control. Tools such as Local Administrator Password Solution (LAPS) and Multiple-Factor Authorisation (MFA) help to enforce it with a model of how password policies can be enhanced with associated automation – I believe that is a better practice.”
Best Practices for Users
Implement Multi-Factor Authentication (MFA)
With threat actors becoming more and more focused on credential theft, organisations are becoming increasingly aware of the importance of authentication methods. Passwords are problematic; easily guessed, bypassed or stolen, this is where MFA comes into play, a security function that we predicted in 2018 would have a profound influence on the cyber security industry this year, overtaking the two-factor authentication (2FA) method.
2FA, which typically sends a unique code to the user’s phone, is still widely used but there’s a problem with this approach: This system can break by intercepting that bit of shared knowledge – the unique code – between the two parties.
To combat this, MFA requires that users confirm a collection of things to verify their identity -usually something they have, and a factor unique to their physical being – think retina or fingerprint scan or location and the time of day. Ultimately, MFA significantly reduces the risk of an unwanted party accessing your most valuable assets, adds a layer of security that is hard to breach and meets user demand for a simple sign-in process.
Utilise Local Administrator Password Solutions (LAPS)
An alternative authentication method is LAPS, which provides management of local account passwords of domain secure computers. These passwords are kept in Active Directory and are restricted to authorised users using ACLs (access control list) and are protected during transport via encryption using the Kerberos version 5 protocol.
Alongside allowing passwords to be eight to 64 characters in length, it counterbalances both the pass-the-hash and well-known-secret problems and is easy to deploy and manage. LAPS provide numerous security benefits, including the fact that additional computers or application servers to handle the passwords are not required.
Capture Identity Intelligence on Corporate Users
Password reuse is also dangerous grounds and can lead to severe consequences. Using duplicate passwords on different accounts is a problematic practice of individuals which can threaten their online security. This is backed up by research by 4iQ, which found that out of 600 respondents surveyed, 313 (65.76%) had reused leaked passwords across multiple accounts.
Thankfully, due to technological advances, there are methods of scanning the surface, social, deep, and dark web to source compromised data (which can be up for sale but often freely available), including usernames, email addresses, passwords, personal information and confidential documents. These scans allow organisations to uncover beached identities in real-time, in the means of notifications, which are released as soon as any exposures are detected.
Fundamentally, organisations should focus on using strong and unique passwords, and be aware of passwords known to be included in data breaches and hacking campaigns, such as 1111111, qwery, Iloveyou and qwertyuiop.
The World’s Most Hacked Passwords Infographic
It begs the question; is a strong password that never changes better than weak passwords updated regularly? A unique and robust password will help to prevent unauthorised access to your IT systems. On the flip side, periodically changing your password limits breaches to multiple accounts and preclude the use of saved passwords.