Users who hate having to change their Windows passwords every 60 days can rejoice: Microsoft now agrees that there is no point to forced password changes and will be removing that recommendation from its security recommendations.

Microsoft dropped the password-expiration policy in the latest draft version of the security configuration baseline settings for Windows 10 (v1903) and Windows Server (v1903), calling the practice “an ancient and obsolete mitigation of very low value.” According to the draft document, Microsoft will no longer recommend that accounts controlled by the network’s group policy have a policy to require users to change their passwords periodically. Microsoft is finally telling Windows administrators there are better ways to protect systems and networks than forcing users to pick new passwords every few weeks or months.

“We are talking here only about removing password-expiration policies–we are not proposing changing requirements for minimum password length, history, or complexity," wrote Aaron Margosis, a principal consultant with Microsoft Public Sector Services.

Microsoft had the baseline to prompt users to change their passwords every 60 days—down from the original 90 days—and Margosis wondered whether that time interval made sense. Password expiration policies protect enterprises only in situations when passwords or password hashes are stolen and can be used to gain unauthorized access into the network, Margosis said. That means the interval was too long, since if the password/hash was stolen, the administrator would want the user to change it immediately and not wait for the password to expire. Making the interval shorter to force password changes more frequently would introduce more problems, since users tend to make “small and predictable alteration to their existing password,” making them guessable. And if it wasn’t stolen, then it doesn’t need to be changed to be changed at all.

“Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you,” Margosis said.

Microsoft's policy change is in line with NIST, which removed references to periodic password changes in its password guidance back in 2017. An attacker who already knows the user’s password is likely to be able to guess the user’s next password, former Federal Trade Commission chief technologist Lorrie Cranor wrote in 2016.

The document provides security templates that organizations can use to limit certain featues and services to protect Windows systems and networks from attacks. The baselines provide administrators with a solid security foundation, but they should not be considered to be “a complete security strategy” Margosis said. Administrators still need to consider other layers of protection to make sure their networks are protected.