It seems that Microsoft is finally accepting what many IT admins and security experts have known for years. In its latest draft security baseline for Windows 10 and Windows Server it admits that its password expiration policy does not work. That’s right, that annoying “your password has expired” message for Windows users might finally be on the way out.
The news will be greeted with joy by users and IT security teams. Users will no longer have to think up new complex passwords and then find somewhere to write them down. Another problem is that enforced changes tends to weaken password security.
The news came in a blog from Aaron Margosis, Principal Consultant, Microsoft. The blog introduces the new draft security baseline for Windows 10 v1903 and Windows Server v1903. In his blog Margosis writes: “There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict.
“When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.”
Even when users avail themselves of password checkers they can still find themselves in trouble. A password strength checker from Alvaka Networks recently went from:
Password: “ThisIsStupid” rates as “compromised”.
Password: “ThisIsStupid!” rates as “very strong”.
Such an approach to password strength testing shows why passwords have become a joke.
Why has Microsoft seen the light?
According to Margosis: “Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication.”
When Margosis states recent he is being a little liberal. Several reports and studies over the last few years have all warned that forcing users to change passwords is not helpful. Now Microsoft, who for enterprises has the biggest impact on password behaviour and usage agrees.
Will we still have passwords with Microsoft?
Yes we will and they will probably continue to exist for a considerable period of time. All Microsoft is doing here is removing that annoying: “your password has expired warning.” As Margosis states: “we are talking here only about removing password-expiration policies – we are not proposing changing requirements for minimum password length, history, or complexity.”
He also said: “the small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management. Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards.”
What does this mean for enterprise IT policies?
This is a more complex question. Many organisations have set policies that cannot just be changed overnight. They require a review, authorised at a senior level, tested and then finally deployed. In some large enterprises this could take several months. After that, there is the problem of educating users.
When going through this, enterprise IT should look at how it is strengthening password usage. The use of password mangers is one step. Another is to deploy multifactor authentication as part of this process if it is not already in use.
What this does not solve is password reuse. If users are regularly reusing their company password on other services, this will not stop them. In fact, it increases the time that a password is live and the risk of a breach on those other services revealing that password. Education around users to prevent the reuse of passwords must not end just because of this.
What else is Microsoft looking at?
As stated earlier, Margosis’s blog is not just about passwords. It is about the new security baselines and tools for Windows 10 and Windows Server. Users can download a zip file containing: “GPO backups, GPO reports, scripts to apply settings to local GPO, Policy Analyzer rules files for each baseline and for the full set, and spreadsheets documenting all available GPOs and our recommended settings, settings that are new to this Feature Update, and changes from the previous baselines.”
Among those changes administrators will find information around BitLocker encryption, new audit setting for Kerberos and the ability to stop users activating apps on locked device using their voice.
Margosis also covers some proposals to how certain accounts are treated. This will affect both the built-in Guest and Administrator accounts. If accepted, these proposals will come into force for the next update of the Windows security baseline
Enterprise Times: What does this mean
There are some significant changes in this new draft security baseline set of documents. For most IT teams, it will take a some reading and playing to understand exactly what the changes are. In the main, they are fairly simple to understand and implement. Some are just suggestions and some are changes to existing policies.
What will get the most attention, however, is the change in stance by Microsoft over passwords. However, users shouldn’t get too excited. IT teams will need to ensure that any change to remove password expiration is in line with other security policies in the business. This is not going to happen overnight.