Microsoft has finally removed its 60-day password expiration policy from its Windows 10 security baseline, claiming there are better ways to keep users secure. This means organizations using Windows 10 won’t have to force their users to change passwords frequently.
In its blog post detailing Windows 10 build, the company said that expiration is a defense only against the probability that a password (or a hash) could be stolen during its validity interval:
Recent scientific research calls into question the value of many long-standing password–security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication. While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.
Microsoft said if an organization implements security practices like banned password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, it doesn’t need expiration policies.
In a security guide published in March, the National Institute of Standards and Technology (NIST) also suggested removing frequent password changes. Instead, it recommended banning commonly used passwords and patterns.