Humans are terrible at passwords. You might think they’re rare but recent surveys show that many passwords are just as useful as having no password at all. Some systems, in an effort to increase security, force users to change their passwords every 30 or 60 days. Microsoft, however, is dropping that policy in the next major Windows 10 update because studies now show that password expiration policies do nothing to enhance security after all.
Microsoft pretty much says it all why such a policy is really useless. If you force users to create a strong and long password, they’re likely to write it down somewhere. If you force them to change that password at regular intervals, they’re likely to just make a small and predictable change. Most often, they’ll even forget what they changed.
Password expiration policies were implemented to address situations when a password may have been stolen by a hacker. But if that were the case, why would you wait for the password to expire before changing it? And if it hasn’t been compromised, why change it unnecessarily and ironically make it even more liable to be hacked?
Given those factors, Microsoft has decided to drop the obsolete and ineffective policy that offers little value in improving security. This change will go into effect in Windows 10 and Windows Server version 1903.
To be clear, Microsoft isn’t throwing out its other password policies, just this old one. It will continue to require passwords to have a minimum length and have a certain complexity, usually a combination of letters, numbers, and symbols.