Milk Still Expires, but Now — Mercifully — Your Passwords Won’t

Milk Still Expires, but Now — Mercifully — Your Passwords Won’t
Photo by Thomas Andreas / Shutterstock.com

Who hasn’t been interrupted during some important task by a strictly-imposed network requirement to “update” a password? And who hasn’t solved this modern annoyance by some ridiculous, unsafe naming convention like “CorpPassword1 … CorpPassword2 … CorpPassword3” and so on?

People already have 150 or so passwords they must remember. Forced expiration made this already untenable situation even worse — 150 new passwords every month or so?

Those days are, thankfully, coming to a close. Last year, the National Institute of Standards and Technology revised its passwords recommendations, urging companies to abandon forced expirations. And recently, Microsoft announced it would remove the requirement from Windows 10 standards.

This will finally start a movement to drop forced password updates.

In its announcement, Microsoft was both logical and forceful in its argument.

“Periodic password expiration is an ancient and obsolete mitigation of very low value,” it said. “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”

If a password is compromised, it should be changed now — why wait 30 or 60 days? — and if it’s not compromised, why create the extra hassle?

More from Microsoft:

“If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days — and used to say 90 days — because forcing frequent expiration introduces its own problems.

And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.”

Gartner cybersecurity analyst Avivah Litan called the move a “most welcome step.”

“Finally, a big tech company (that manages much of our daily authentication) is using independent reasoned thinking rather than going along with the crowd mentality when the crowd’s less-secure password management practices are — however counterintuitive — less secure,” she wrote in a blog post.

What should companies be doing about passwords instead? Litan hopes this step signals the beginning of the end of traditional passwords. Meanwhile, Microsoft hints at what better security looks like:

“What should the recommended expiration period be? If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?”

Coincidentally, this week’s “So, Bob” podcast deals with password managers. Listen on iTunes or on Stitcher.

More from Bob Sullivan:

What’s your take on this news? Sound off by commenting below or on Money Talks News’ Facebook page.

Popular Articles

5 Health Care Costs That Medicare Does Not Cover
5 Health Care Costs That Medicare Does Not Cover

Don’t let these common medical expenses catch you off guard in retirement.

Stop Overpaying for These 7 Things That Are Cheaper at a Drugstore
Stop Overpaying for These 7 Things That Are Cheaper at a Drugstore

An expert shares the secret to snagging everyday items for less money — or even for free — at the drugstore.

10 Retailers That Give Discounts to Older Shoppers
10 Retailers That Give Discounts to Older Shoppers

You don’t even need an AARP membership card to qualify for the “senior” discounts at these stores.

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Comments