What is it about a secure password that makes us think it’s secure?

Traditionally, for businesses it’s been things like complexity, minimum length, avoiding known bad passwords, and how often passwords are changed to counter the possibility of undetected compromise.

And yet, recently, the last of those orthodoxies – password expiration – has started to crumble.

In 2016, the influential US National Institute of Standards and Technology (NIST) broke with generations of received wisdom by recommending that scheduled password change should be dropped from the list of good practice on the basis it now does more harm than good.

This week, the mighty Microsoft joined them in no uncertain terms in a blog explaining the company’s security baselines for the forthcoming Windows 10 version 1903, due in May. Microsoft’s Aaron Margosis didn’t mince his words:

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.

Windows baselines aren’t just a set of recommendations written down somewhere that nobody reads – defining how the world’s most popular business OS should be secured by businesses, these matter.

At the last count, Windows 10 had 3,000 of them (including many not related to security) implemented as Group Policy Objects. Having these parameters set up means that IT staff don’t have to configure everything from scratch as well as helping with the ordeal of compliance.

If NIST downgrading the importance of password expiration was a big marker, Microsoft doing the same signals that change is coming in the real world.

Why password expiration doesn’t help

At first glance, password expiration sounds sensible because, as numerous security compromises demonstrate, passwords today are often stolen and abused long before their owners realise.

Logically, then, changing them on a schedule should minimise the risk by reducing the length of possible compromise to a defined period of weeks or months.

In the consumer space, it’s become such an accepted part of security that password managers urge users to update their passwords regularly and offer mechanisms to automate this for big internet sites.

The problem is that this can have unintended consequences, which can render the effort worthless. As Microsoft’s Margosis writes:

When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.

In effect, users are not really changing their passwords, just tweaking them so they’re easier to remember. In the worst-case scenario, this might include using the same tweaked password across multiple sites, a habit that fuels password-stuffing attacks.

Notice that although Microsoft no longer recommends a specific password expiration value, there’s nothing to stop organisations implementing one if they want to.

It could be that Microsoft’s angst over its baseline is really asking a deeper question – should baselines and the endless compliance that follows in their wake be that important anyway? Margosis again:

Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards. It simply reinforces that security cannot be achieved entirely with baselines.

As recent announcements from Microsoft have made clear, everyone would do better to move to more sophisticated forms of authentication.