Microsoft calls mandatory password changes “archaic and archaic”

Microsoft is finally catching on to what has been an almost universal adage among security experts for years: regularly changing passwords can do more harm than good.

In a largely ignored post published late last month, Microsoft said it was removing regular password changes from its recommended security baseline Settings for customers and auditors. After decades of Microsoft recommending regular password changes, Microsoft employee Aaron Margosis said the requirement was an “archaic, antiquated mitigation measure with very little value.”

The change in mindset is largely the result of research showing that passwords are most easily cracked when they are easy for end users to remember, such as when they use a name or phrase from a favorite movie or book. Over the past decade, hackers have mined real-world password holes and assembled multimillion word dictionaries. Combined with super-fast graphics cards, hackers can do a lot of guesswork in offline attacks, which happen when they steal cryptographic scrambles that represent plaintext user passwords.

Even if users try to confuse their easy-to-remember passwords — adding letters or symbols to words, for example, or substituting 0 for O or 1 for L — hackers can use programming rules to modify dictionary entries. Therefore, these measures have little effect on the protection of modern cracking technology.

There is a growing consensus among researchers that the best passwords are at least 11 characters long, randomly generated and made up of upper and lower case letters, symbols (such as %, * or >) and numbers. These characteristics make them particularly difficult for most people to remember. The same researchers warn that mandatory password changes every 30, 60 or 90 days — or any other time period — can be harmful for a number of reasons. Chief among them is that the requirements encourage end users to choose weaker passwords than they are. What had been “p@ $$w0rd1” became “p@ $$w0rd2”, and so on. At the same time, mandatory password changes have little security benefit because they should be changed immediately in the event of a genuine breach, rather than after a certain period of time specified by the policy.

Despite the growing consensus among researchers, Microsoft and most other large organizations have been reluctant to speak out against regular password changes. One notable exception is in 2016, when the federal trade commission chief technical expert, she Cranor [calls for their employers give advice] (arstechnica.com/information…

In a blog post last month, Microsoft’s Mr. Margosis wrote.

There’s no question that the state of password security is problematic, and has been for a long time. When humans pick their own passwords, they tend to be easy to guess or predict. When humans are assigned or forced to create hard-to-remember passwords, they tend to write them down where others can see them. When humans are forced to change passwords, they tend to make small, predictable changes to existing passwords and/or forget the new ones. When passwords or their corresponding hashes are stolen, their unauthorized use can only be detected or restricted at best.

Recent scientific research has questioned the value of many long-standing password security practices, such as password expiration policies, and pointed to better alternatives, such as enforcing prohibited password lists (a good example is Azure AD password protection) and multifactor authentication. While we recommend these alternatives, they cannot be expressed or implemented using our recommended security configuration baselines because they are based on Windows’ built-in group policy Settings and cannot contain customer-specific values.

“He added.

Periodic password expiration is simply to protect against the possibility that the password (or hash) could be stolen during its lifetime and used by unauthorized entities. If a password can never be stolen, there is no point in letting it expire. And if you have evidence that passwords have been stolen, you’ll probably take immediate action rather than wait for the expiration date to fix the problem. If a given password is likely to be stolen, what is the length of time a thief is allowed to continue using that stolen password? The default value for Windows is 42 days. Does that seem too long? Well, that’s true, but our current benchmark is 60 days — it used to be 90 — because forcing frequent expiration dates creates its own problems. If you don’t consider that passwords can be stolen, you get these problems without any benefit. Also, not having a password expiration policy helps if your users are the kind of people who are willing to answer questionnaires in the parking lot and trade candy bars for passwords.

Margosis is clear that these changes do not in any way affect the recommended minimum password length, history, or complexity. And, he notes, Microsoft continues to urge people to use multifactor authentication.

His change to Microsoft’s security baseline does not change the default value included in the Windows server version, which Margosis says continues to be 42 days, even less than the 60 days recommended in the old baseline. Still, the change in baseline could give employees ammunition to advocate for change within their own organizations. It’s also likely to help companies fight back against auditors, who often find that companies don’t comply unless they issue password changes within a specified period of time, says Password security expert Jeremi Gosney, founder and CEO of Terahash.

“Microsoft is officially joining the fight against mandatory password changes, “Gosney said.” This will give companies more leverage against Big Compliance.”

The subtitle of this article has been changed. It used to say, “Bucking the trend the company no longer advises businesses to force regular password changes.”

Microsoft says mandatory password changing is “ancient and obsolete”

By DAN GOODIN – 6/4/2019, 5:08am