What should your company’s change password policy be?

Microsoft's recent dropping of its maximum password age default renews the debate over forced password changes. Here's why you should continue to expire passwords.

Microsoft’s April 24 decision to remove the “Maximum Password Age” (forced expiration) default from Microsoft Windows has sparked a lot of discussion. The default (and recommended) maximum password age had been 45 to 60 days, depending on the OS version. Removing the forced expiration default follows the recent National Institute of Standards and Technology (NIST) recommendation not to require a password change until you know a password has been compromised.

The thinking behind Microsoft’s move is that passwords are usually compromised through means other than password guessing/hacking, which is what mandatory expirations are intended to minimize. Worse, forcing people to change passwords frequently encourages them to re-use the same passwords or patterns across multiple websites. Most passwords are stolen through phishing attacks, and a forced password change won’t prevent that.

Should you follow NIST’s and Microsoft’s lead and eliminate forced password expiration policies? I don’t think so. Here’s why.

Compliance still requires password expiration

I’ve yet to meet the organization that isn’t subject to some sort of cybersecurity regulation or law (PCI-DSS, HIPAA, SOX, NERC). All these regulations require automated, frequent password changes. Good luck if you believe NIST’s new password recommendations. You’ll be trapped into the old recommendations until the regulations change.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!