News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft: Forced password changes don’t work

    Home Forums AskWoody blog Microsoft: Forced password changes don’t work

    This topic contains 12 replies, has 8 voices, and was last updated by  Paul T 3 months, 3 weeks ago.

    • Author
      Posts
    • #964144 Reply

      woody
      Da Boss

      Yesterday, Sergiu Gatlan at BleepingComputer wrote about Microsoft’s newfound antipathy to forced frequent password changes. You know the problem: Eve
      [See the full post at: Microsoft: Forced password changes don’t work]

      2 users thanked author for this post.
    • #965287 Reply

      Lugh
      AskWoody_MVP

      Forcing you to change them every 30 days only pushes you toward less secure passwords

      Yes, that’s been known in security circles for a long time—in corporate IT depts, not so much 🙁

      Has MS been making us change passwords, or are you just applauding them for supporting the cause? I use Windows, Outlook.com & Office 365, and can’t remember being asked to change my password.

      Even my online financial outfits seem to have learned, they no longer demand 90-day resets either.

      Lugh.
      ~
      Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
      i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

    • #967472 Reply

      cyberSAR
      AskWoody Plus

      Always thought that was a stupid requirement. Can’t tell you how many machines I get in here with sticky notes with their login info, exchange login etc.

      They all complain because while they had a good password initially the constant changing confused them.

      3 users thanked author for this post.
      • #1067568 Reply

        rc primak
        AskWoody_MVP

        It’s not like you can’t go to any number of online password generators and get a billion good, long, strong passwords. But humans can’t remember these passwords, so frequent changes are counterproductive. They always end up in plain-text files in My Documents or sticky notes attached to the computer.

        The best answer so far has been to use a USB Key as the “passkey”. (You can create such keys without relying on commercial interests.) Google, Microsoft and Yahoo are among many large site operators which allow some sort of USB Key to be used in place of a password now, and the trend is growing. Just don’t lose that USB Key! (There are Account Recovery options, but these are a real pain to go through.)

        -- rc primak

        1 user thanked author for this post.
    • #980415 Reply

      Paul T
      AskWoody MVP

      The change is probably in response to the NIST change.
      https://www.enzoic.com/surprising-new-password-guidelines-nist/

      cheers, Paul

    • #980565 Reply

      Alex5723
      AskWoody Plus

      Microsoft also increased the minimum storage requirement for 1903 from 16GB to 32GB for both 32 & 64 bit OS.

      https://docs.microsoft.com/en-us/windows-hardware/design/minimum/minimum-hardware-requirements-overview#331-storage-device-size

    • #1004151 Reply

      anonymous

      If you’re going by unassisted password solutions, then having a unique LongBu7EasyToRemember! password is better than Short ones changing every 3 months.  Yearly change is about right.  When it comes to assisted password solutions, then having short life passwords are neutral to good.

      Eg: if you have 2 Factor Authentication, frequent password changes are neutral; there’s tradeoffs and a case could be made (I wouldn’t though).  Password managers with 32 character randomly generated passwords are secure.  Keep 3-4 long and easy to remember passwords on hand for what’s critical: Password manager, primary email, desktop system, possibly financials.  Change them every once in a while just in case, and do not reuse.  And keep these out of the password manager.

      The former option works well if you don’t need many passwords.  Problem is that the amount of sites we have that use passwords continuously grows.  I’ve got at least 40 passwords and those that aren’t in a password manager are one of about 10 of the LongBu7EasyToRemember! types.  Then I got pwned and about a dozen of my accounts became exposed (no big deal, the password they got was for tertiary stuff).  There’s probably sites I’m on that I’ve forgotten, are pre-Password Manager, and will be used maliciously in the future.

      That doesn’t discount the fact that my mother gets flustered trying to remember 3 passwords… So unassisted password solutions are quickly become obsolete.  “Sufficiently complex” passwords are only secure as long as they’re not exposed.

    • #1018752 Reply

      Paul T
      AskWoody MVP

      Keep 3-4 long and easy to remember passwords on hand for what’s critical: Password manager, primary email, desktop system, possibly financials.  Change them every once in a while just in case, and do not reuse.  And keep these out of the password manager

      Or, use one long and complex password for your password manager and save everything else in it. As long as you have access to a backup of your password manager you don’t need to remember other passwords.

      cheers, Paul

      • #1067621 Reply

        rc primak
        AskWoody_MVP

        And hope your password manager’s database doesn’t get hacked.

        Easier to avoid when you control the database than if it lives in the Cloud or in (gasp!) your web browser.

        -- rc primak

        1 user thanked author for this post.
        • #1088493 Reply

          Paul T
          AskWoody MVP

          What sort of password manager has a hackable database? Oh, yes, those online ones that keep reporting they’ve been hacked.
          I use a local password manager but use the cloud for backup.

          cheers, Paul

          1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft: Forced password changes don’t work

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.