Microsoft is finally catching on to a maxim that security experts have almost universally accepted for years: periodic password changes are likely to do more harm than good.
In a largely overlooked post published late last month, Microsoft said it was removing periodic password changes from the security baseline settings it recommends for customers and auditors. After decades of Microsoft recommending passwords be changed regularly, Microsoft employee Aaron Margosis said the requirement is an “ancient and obsolete mitigation of very low value.”
The change of heart is largely the result of research that shows passwords are most prone to cracking when they’re easy for end users to remember, such as when they use a name or phrase from a favorite movie or book. Over the past decade, hackers have mined real-world password breaches to assemble dictionaries of millions of words. Combined with super-fast graphics cards, the hackers can make huge numbers of guesses in off-line attacks, which occur when they steal the cryptographically scrambled hashes that represent the plaintext user passwords.