Microsoft removes Password-Expiration Policy in security baseline for Windows 10

Pierluigi Paganini April 29, 2019

Microsoft presented a series of security enhancements for its Windows 10, including the removal of the password-expiration policy. 

Microsoft announced the removal of the password-expiration policy from its operating system starting with the next Windows 10 feature update (Windows 10 version 1903, a.k.a., “19H1” ) and Windows Server version 1903.

The idea behind this change is that a password-expiration policy could improve the user’s security only in case of a data breach, instead if a password is never compromised, setting an expiration date for it may worsen the user experience.

“Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it.” reads the post published by Microsoft. “And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”

An organization can protect users against stolen passwords by choosing alternative security policies instead of a password-expiration policy, for example by enforcing multi-factor authentication.

“Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.” continues the post. “By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance,”

The proposed Windows-10-1903-Security-Baseline-DRAFT also includes a change related to the built-in Administrator and Guest accounts that will not be disabled by default in the future.

Microsoft removes Password-Expiration Policy in security baseline for Windows 10

It also recommends to have administrative local accounts enabled by default, but only one of them should be in use and should have a strong password.

If you are interested in other changes proposed by Microsoft giver a look at the draft.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Microsoft, password-expiration policy)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment