Microsoft Says Mandatory Password Changing is “Ancient and Obsolete”

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/
Microsoft is finally catching on to a maxim that security experts have almost universally accepted for years: periodic password changes are likely to do more harm than good.

In a largely overlooked post published late last month, Microsoft said it was removing periodic password changes from the security baseline settings it recommends for customers and auditors. After decades of Microsoft recommending passwords be changed regularly, Microsoft employee Aaron Margosis said the requirement is an “ancient and obsolete mitigation of very low value.” The change of heart is largely the result of research that shows passwords are most prone to cracking when they’re easy for end users to remember, such as when they use a name or phrase from a favorite movie or book. Over the past decade, hackers have mined real-world password breaches to assemble dictionaries of millions of words. Combined with super-fast graphics cards, the hackers can make huge numbers of guesses in off-line attacks, which occur when they steal the cryptographically scrambled hashes that represent the plaintext user passwords. Even when users attempt to obfuscate their easy-to-remember passwords—say by adding letters or symbols to the words, or by substituting 0’s for the o’s or 1’s for l’s—hackers can use programming rules that modify the dictionary entries. As a result, those measures provide little protection against modern cracking techniques.

Researchers have increasingly come to the consensus that the best passwords are at least 11 characters long, randomly generated, and made up of upper- and lower-case letters, symbols (such as a %, *, or >), and numbers. Those traits make them especially hard for most people to remember. The same researchers have warned that mandating password changes every 30, 60, or 90 days—or any other period—can be harmful for a host of reasons. Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on. At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy.
Click to expand...
 
  • Like
Reactions: Deletedmessiah, Local Host, ebocious and 5 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
The most hacked passwords list 2023
Replies
2
Views
1,369
News Archive
plat
P
vtqhtr413
    • Wow
    • Like
    • Thanks
Technology Microsoft Edge may have changed your saved passwords to serial key-like strings
Replies
4
Views
528
Technology News
brambedkar59
brambedkar59
F
    • Wow
    • HaHa
Security News Microsoft employees exposed internal passwords in security lapse
Replies
3
Views
880
Security News
Freki123
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top