Microsoft has acknowledged what most security researchers have known for a long time: the practice of forcing passwords to expire and requiring users to come up with new ones does not enhance security. In a blog post, Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903, Microsoft’s Aaron Margosis writes that one of the baseline changes will be “dropping the password-expiration policies that require periodic password changes.” He goes on to say that while recent research indicates that enforcement of banned password lists and multi-factor authentication are better alternatives, “they cannot be expressed or enforced with our recommended security configuration baselines.”
Andy Levchuk
Comments