• Microsoft: Forced password changes don’t work

    Yesterday, Sergiu Gatlan at BleepingComputer wrote about Microsoft’s newfound antipathy to forced frequent password changes.

    You know the problem: Every 30 or 60 or 90 days, you’re forced to change your password – and the new one can’t match the last 12 of them. Your solution is probably the same as mine:


    and so on. With the way technology has changed (I hesitate to use the term “improved”), frequently changed short passwords don’t hold a candle to LongPasswordsThatYouCanEasilyRemember. Even old LongPasswordsThatYouCanEasilyRemember work better than Shorter1, Shorter2, Shorter3. Forcing you to change them every 30 days only pushes you toward less secure passwords.

    Of course, you use a password manager such as LastPass or OnePass or KeePass. In that case, changing your password every 30 days is just a pain in the neck. No security improvement at all.

    The topic has come up because Microsoft just released its newly revised “Security baseline” for Win10 version 1903. It’s still marked Draft, but should be solidified before too long. Here’s what MS says:

    When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

    Bravo and huzzah!