Microsoft has dumped periodic password expiration policies from its recommended Windows security baseline.
Microsoft has for years recommended that administrators expire users’ passwords and force them to choose a new one every few weeks. The measure was thought to reduce risk by making it harder to use stolen credentials.
But as Microsoft employee and self-described “Windows cybersec nerd” Aaron Margosis wrote in the announcement of the new guidance, “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.” Margosis also stated that “When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them.”
“Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it,” Margosis wrote.” And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”
All of which means forced password refreshes don’t offer a lot of value, and shows why Microsoft and others now use combinations of biometrics, two-factor authentication and the WebAuthn password-free authentication standard.
Other changes to the baselines include:
- No longer recommending that BitLocker drive encryption method uses the strongest possible encryption. BitLocker offers 256-bit encryption, but that will be removed because “our crypto experts tell us that there is no known danger of its being broken in the foreseeable future” and 256-bit also imposes a performance hit.
- Stricter policies for Windows services hosted in svchost.exe, a core part of Windows, so that that all binaries it loads are signed by Microsoft. Dynamically-generated code is disallowed.
- Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.
- Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
Another change will see the end of forced disablement of Windows built-in Administrator and Guest accounts. Both will remain present, but the change means “administrators can now choose to enable these accounts as needed”.