Microsoft declares 'no need to change password regularly', policy to set password expiration date to abolish

by Marco Verch Professional Photographer and Speaker

On April 24, 2019, Microsoft published a draft of a security baseline for Windows 10 version 1903 and Windows Server version 1903. In that context, Microsoft questioned the regular change of password and clarified that it had abolished the previous policy of 'expiring password'.

Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903 – Microsoft Security Guidance blog
https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/

Password1, Password2, Password3 no more: Microsoft drops password expiration rec | Ars Technica
https://arstechnica.com/gadgets/2019/04/password1-password2-password-3-no-more-microsoft-drops-password-expiration-rec/

Version 1903 is the next major update to be distributed at the end of May 2019. Version 1903 is scheduled to improve Windows Update, allowing updates to be delayed for up to 35 days. Also, it was discussed that MS Paint, which was added to the deletion list in 2017, will continue to be included in the build.

'Paint' of Windows, which was thought to be 'dead' for a while, still survives a lot-GIGAZINE

In a draft of such a version 1903 security baseline, Microsoft stated that 'We will remove password expiration policies that require periodic password changes.'

Microsoft often says, 'When people choose their own password, they tend to make it easy to predict, but when you identify or create a password that is hard to remember, write it down where others can see it. And, if you are forced to change your password, you will change your existing password to something predictable or forget your new password. ” Are questioning the regular change of password.

However, instead of removing the password expiration policy, Microsoft recommends an alternative, such as the introduction of a banned password list or two-step verification, which is not included in the security baseline.

The claim that 'the password need not be changed regularly' has been attracting attention in recent years, and the Japanese Ministry of Internal Affairs and Communications in Japan in 2018 'If there is no fact that the password was actually broken and the account was taken over or leaked from the service side. There is no need to change the password. '

Secure password management | Information security measures for employees and staff in general | Measures for companies and organizations | Information security site for the people
http://www.soumu.go.jp/main_sosiki/joho_tsusin/security/business/staff/01.html

Also, in Windows 10, the local Administrator account is disabled by default, and you need to create a new Administrator account during installation. Microsoft states that it is considering a policy to stop the forced invalidation of the Administrator account.