The technology giant Microsoft plans to eliminate the so-called password expiration policy, by which the company requests Windows users to change their login keys periodically, reported vulnerability testing specialists.
The company announced this proposal through a
publication on its official blog; in the text, Microsoft mentions that its
standard security settings will stop asking users to change their passwords in
weeks or months intervals.
This first draft of new company security
policies includes some recommendations that would impact corporate network
users, with the primary purpose of avoiding misuse. In addition, the company
aims to restrict some features inherent to the Windows
operating system that might be useful for malware attacks.
“Microsoft believes that its current
password expiration policy is an obsolete and a really non-functional security
measure in practice; they no longer believe that it is worthwhile to keep
encouraging it”, mentioned the vulnerability testing specialists.
On the other hand, a spokesman for the company
stated: “This policy only defends users in case their active password is
stolen; if passwords are never stolen, you do not need to set an expiration
date; in case of stolen password, users would do a password reset, not just
wait it to expire”.
According to the vulnerability testing
specialists, Microsoft wants to promote among its users the implementation of
passwords secure enough to eliminate the need of constantly change them,
anyways, it has proven to be a nearly useless security policy.
Specialists of the International Institute of
Cyber Security (IICS) say that such policies are not secure because, if a
password is stolen, a threat actor who knows the current password could be able
to easily guess the next password.
Other organizations, such as the National
Institute of Standards and Technology (NIST) have also eliminated this kind of
password-protection policy, considering that its impact on users’ security
could in fact be considered negative.
