The practice of resetting Microsoft Windows passwords every 60 days may be about to go the way of the dodo.
Microsoft is advocating dumping the “ancient and obsolete” practice enforced by some corporate IT departments for more secure methods of signing into personal computers running its Windows operating system.
“Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value,” says Microsoft principal consultant Aaron Margosis in a company blog.
Password security has been a problem for a long time. When people pick a password, they are often easy to guess. When hard to remember passwords are assigned to people, they will probably write them down. Some even stick them to the computer screen on a sticky note. We’ve all seen it. People forced to change their passwords make small and predictable alterations to existing passwords.
“By removing it from our baseline rather than recommending a particular value or no expiration, organisations can choose whatever best suits their perceived needs without contradicting our guidance,” Aaron says.
“At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.”
Two-factor authorisation is the way to go. Two-factor authentication, abbreviated to 2FA, is a method of confirming the computer user’s claimed identity through two factors. Usually it’s something they know, such as a password, and something they have, such as a cellphone which receives a code in a text message to input following the password.
Microsoft sought feedback on its proposal and, to no one’s surprise, some IT professionals baulked at it. They complained on the grounds that their businesses have signed contracts with clients which require passwords change every 60 days.
You don’t have to be Bill Gates, however, to know that the answer is to renegotiate the contracts to mention the more secure two factor authentication. For the ultra-conservative there’s multi-factor authentication that requires more than two factors of
identification.
If you’re changing your password every 30 days, or just not using 2FA. it might be time to talk to your IT department or provider about making the change.
