Password expiration policies protect enterprises only in situations when passwords or password hashes are stolen and can be used to gain unauthorized access into the network, Margosis said. Microsoft had the baseline to prompt users to change their passwords every 60 days-down from the original 90 days-and Margosis wondered whether that time interval made sense. “We are talking here only about removing password-expiration policies–we are not proposing changing requirements for minimum password length, history, or complexity," wrote Aaron Margosis, a principal consultant with Microsoft Public Sector Services. Microsoft is finally telling Windows administrators there are better ways to protect systems and networks than forcing users to pick new passwords every few weeks or months. Microsoft dropped the password-expiration policy in the latest draft version of the security configuration baseline settings for Windows 10 (v1903) and Windows Server (v1903), calling the practice “an ancient and obsolete mitigation of very low value.” According to the draft document, Microsoft will no longer recommend that accounts controlled by the network’s group policy have a policy to require users to change their passwords periodically.
Users who hate having to change their Windows passwords every 60 days can rejoice: Microsoft now agrees that there is no point to forced password changes and will be removing that recommendation from its security recommendations.
0 kommentar(er)
