Microsoft last week recommended that organizations no longer force employees to come up with new passwords every 60 days.

The company called the practice - once a cornerstone of enterprise identity management - "ancient and obsolete" as it told IT administrators that other approaches are much more effective in keeping users safe.

"Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value," Aaron Margosis, a principal consultant for Microsoft, wrote in a post to a company blog.

In the latest security configuration baseline for Windows 10 - a draft for the not-yet-in-general-release "May 2019 Update," aka 1903 - Microsoft dropped the idea that passwords should be frequently changed. The Windows security configuration baseline is a massive collection of recommended group policies and their settings, accompanied by reports, scripts and analyzers. Previous baselines had advised enterprises and other organizations to mandate a password change every 60 days. (And that was down from an earlier 90 days.)

No longer.

Margosis acknowledged that policies to automatically expire passwords - and other group policies that set security standards - are often misguided. "The small set of ancient password policies enforceable through Windows' security templates is not and cannot be a complete security strategy for user credential management," he said. "Better practices, however, cannot be expressed by a set value in a group policy and coded into a template."

Among those other, better practices, Margosis mentioned multi-factor authentication - also known as two-factor authentication - and banning weak, vulnerable, easily-guessed or frequently revealed passwords.

Microsoft is not the first to doubt the convention.

Two years ago, the National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce, made similar arguments as it downgraded regular password replacement. "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)," NIST said in a FAQ that accompanied the June 2017 version of SP 800-63, "Digital Identity Guidelines," using the term "memorized secrets" in place of "passwords."

Then, the institute had explained why mandated password changes were a bad idea this way: "Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password."

Both the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven't been touched? "If a password is never stolen, there's no need to expire it," Microsoft's Margosis said.

"I agree 100% with Microsoft's logic for enterprises, which are who uses [group policies] anyway," said John Pescatore, the director of emerging security trends at the SANS Institute. "Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it."

Like Microsoft and NIST, Pescatore thought periodic password resets are the hobgoblins of little minds. "Having [this] as part of the baseline makes it easier for security teams to claim compliance, because auditors are happy," Pescatore said. "Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. Great example of how compliance does not*equal security."*

Elsewhere in the Windows 10 1903 draft baseline, Microsoft also dropped policies for the BitLocker drive encryption method and its cipher strength. The prior recommendation was to use the strongest available BitLocker encryption, but that, Microsoft said, was overkill: ("Our crypto experts tell us that there is no known danger of [128-bit encryption] being broken in the foreseeable future," Margosis of Microsoft contended.) And it could easily degrade device performance.

Microsoft also asked for feedback on another proposed change that would dump the forced disabling of Windows' built-in Guest and Administrator accounts. "Removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled," Margosis said. "Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed."

The draft baseline can be downloaded from Microsoft's website as a .zip archived file.