Microsoft admits expiring-password rules are useless

Hey, IT staffers, are you listening?

Ian Sherr Contributor and Former Editor at Large / News
Ian Sherr (he/him/his) grew up in the San Francisco Bay Area, so he's always had a connection to the tech world. As an editor at large at CNET, he wrote about Apple, Microsoft, VR, video games and internet troubles. Aside from writing, he tinkers with tech at home, is a longtime fencer -- the kind with swords -- and began woodworking during the pandemic.
Ian Sherr
2 min read

Ever had to change your password for no reason?


Before, it was annoying. Now, it's useless.

Microsoft has admitted that one of the great scourges of our time, the password reset rule, is bunk.

"When humans are assigned or forced to create passwords that are hard to remember, too often they'll write them down where others can see them," Microsoft's Aaron Margosis said in a blog post Wednesday. Worse, Margosis wrote, when people are forced to change their passwords, too often they make a "small and predictable alteration to their existing password" so they won't forget it. (Duh.)

Microsoft isn't the first to ring this alarm. Security experts and normal thinking people have complained for years that mandatory password changes aren't worth the trouble. Two years ago, the Federal Trade Commission (FTC) said it was time to rethink this practice. "It is important to assess the risks and benefits for your organization, as well as alternative ways of increasing security," the FTC said in a blog post. And that was after the National Institute of Standards and Technology (NIST) criticized the practice a decade ago.

Microsoft's blog post Wednesday introduced a broader set of "baseline" security settings that Microsoft may decide to recommend to companies that use its computer management software. Think of them as defaults of a sort.

Unfortunately, Microsoft isn't simply yanking the password reset feature, which would be the humane thing to do. In the end, it'll still be up to your company's tech team whether to listen to reason or continue living in the security Stone Age.

It's worth noting that Microsoft isn't changing recommendations around the way we create passwords. In fact, tech giant recommends companies increasingly ban typical bad passwords, and force employees to use multifactor authentication. (We at CNET are also fans of password managers.)

But make no mistake, Microsoft, whose Windows software powers nearly 80% of the world's computers, has finally seen the light. "Periodic password expiration is an ancient and obsolete mitigation of very low value," Margosis said.

First published April 24 at 3:24 p.m. PT.
Update, April 25 at 7:32 a.m. PT: Adds background.