Microsoft always releases a security baseline in draft form when a new version of Windows 10 is about to be made available to enterprise and business customers. This document recommends proposed security settings that help these organizations make the most efficient use of security features across Windows 10 endpoints. The security baseline draft for Windows 10 Version 1903, aka the May 2019 Update, grabbed attention for a new password change policy.
The policy change lines up with government guidelines for handling passwords.
According to the National Institute of Standards and Technology (NIST) special publication SP-800-63B, Authentication & Lifecycle Management, memorized secrets -- another term for "passwords" -- should meet these minimum requirements:
- At least 8 characters in length but possibly up to 64 characters in length, with all ASCII and UNICODE characters and spaces available in the creation of these memorized passwords (or passphrases).
- Passwords which are chosen by the service provider upon enrollment or when requesting a new password must be at least 6 characters in length and generated using an approved random bit generator.
- Don't store password hints in any system that is accessible by non-authenticated users.
- All new passwords must be checked against lists of commonly used, expected, or compromised passwords. For example, lists of passwords from previous breaches, dictionary words, repetitive characters, and the username or service name should all be considered in this process. Any matches through this check should result in the password being rejected, the user notified why it was rejected, and a prompt to select a new password.
- If an account is compromised, then force a change of the user's password. But don't force a change just because a few weeks have elapsed.
There are other suggestions in this standard that should be considered as you establish your password policies, so a full review is highly recommended.
Microsoft states they understand this is a radical change to a common security-related approach that has been around for a very long time. They are also not suggesting completely abandoning password structure expectations such as length, history, and complexity.
Here is what Microsoft’s Aaron Margosis says about the need to have expiring passwords:
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
Margosis goes on to add:
If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous log-on attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?
Ultimately, a company's leadership is responsible for the security of the customer and employee data that resides across all its resources. Those users with a higher level of data access should be expected to have tighter controls relating to account access including passwords and the breadth of access to company data. Those on the lower level of entry and access should have less stringent requirements but not below minimum standards as discussed above.
The Microsoft password change policy and its publication this week have triggered a lot of discussion across social media between IT Pros, security experts, and users. While those conversations are somewhat mixed, they are happening rather than organizations just sticking with what they believe to be tried and true methods of security around user passwords.
"We have always done it that way" is no longer a valid response when changes are necessary whether it is security or process related. Dropping a password expiration policy could be the first step of an enterprise's move towards not using passwords at all to authenticate user accounts in the future.