It doesn’t work, and it’s really, really annoying.
Forcing users to periodically change their passwords is pointless, Microsoft has stated in a blog post about proposed security changes in Windows 10.
If you’ve ever logged into your work computer and been told by Windows that you have X amount of days to change your password, then you’ve encountered password expiration. It’s not a compulsory feature, but many companies employ it because they regard it as a good security measure.
But there have been dissenting voices regarding mandatory password changes for a while, including the USA’s Federal Trade Commission, and now Microsoft has joined the club, with its proposal to remove password expiration from the next version of Windows 10.
In its blog post, Microsoft says, “Periodic password expiration is an ancient and obsolete mitigation of very low value.”
Brutal? Perhaps. True? Absolutely.
The fact is password expiration doesn’t work. For a start, the time between each compulsory change is also time in which a criminal could be using your password. This can be customised, but by default it’s 42 days in Windows 10. And assuming your password hasn’t been compromised, you’re being made to change it for no reason.
It’s not just pointless; in many cases, it can be actively counter-productive.
The problem is people are generally rubbish at remembering passwords. Faced with the obligation to change their password every few weeks, they tend to do one of a few less than ideal things. They might:
- Reuse a password from somewhere else.
- Create a password that is easy to guess or which can easily be brute-forced.
- Write their password down on a piece of paper or in a text file.
Oddly enough, though, the last of these – writing your password down – is actually recommended by many cyber security experts, including Bruce Schneier and Microsoft’s very own Jesper Johansson, who suggested doing it as far back as 2005.
They’re not wrong, but there are some caveats. Context is important: keeping your Windows password on a piece of paper in your wallet is better than having it on a Post-It note stuck to your monitor, for example. Similarly, writing your passwords in an encrypted text file is better than having an unprotected password list just sitting in your documents folder. It’s also more of a problem if you write down what each password is used for.
Provided you actually secure your written-down passwords, whether your list is physical or digital, it’s not actually a terrible way of managing them – particularly as it allows you to choose complex passwords that you wouldn’t otherwise be able to remember. Essentially, it’s like a set of keys. If you lose them, whoever finds them could get into your house and your car, but only if they know where you live (which they might do if you write your address on your keyring).
But with password expiration in place, users like this will have to write down a new password every so often. Can they really be trusted to securely store them every time? Possibly not (which is why TMB generally recommends that workplace users don’t write their passwords down). And if they can be trusted with this responsibility, then once again, you’re just making them change their passwords for no reason.
Other, more technical solutions include automatically rejecting weak passwords, using password managers and implementing multi-factor authentication. Combining these measures, it’s possible to create a seamless login process that is secure but straightforward and convenient for users.
But password expiration is none of these things. It's ineffective, inconvenient and it can lead to a false sense of security. In other words, it's long past its expiration date.