What do you think of the following? Will you be removing your password expiration for your enterprise?
Microsoft and NIST Say Password Expiration Policies Are No Longer Necessary
In 2019, Microsoft dropped the forced periodic password change policy in their security configuration baseline settings for Windows 10 and Windows Server, calling them obsolete mitigation of very low value. Microsoft claims that password expiration requirements do more harm than good because they make users select predictable passwords, composed of sequential words and numbers, which are closely related to each other. Additionally, Microsoft claims that password expiration requirements limit containment because cybercriminals almost always use credentials as soon as they compromise them. The US-Based National Institute of Standards and Technology outlined in NIST 800-63b also updated the NIST password guidelines to reflect the same sentiment; that passwords shouldn’t periodically expire.
Both NIST and Microsoft are highly influential in the cybersecurity guidelines landscape. NIST provides guidelines primarily for US federal agencies, but their guidelines are used by private companies globally. The idea here is that if the NIST password guidelines are good enough for US federal agencies that deal with some of the most sensitive data in the world, then they’re good enough for most organizations. Similarly, Microsoft has significant sway in the private sector due to its long-standing success and market presence with Active Directory. When two major organizations of this scale decide to drop a traditional cybersecurity practice, it is not without good reason. Multitudes of small, medium and large organizations are going to follow suit. Let’s delve into why forced password expiration policies are no longer needed.
The real message is "oops... did not solve the problem", not "no longer needed". Research and experience have demonstrated that expiration has side effects that make the "weak password" problem worse, not better.
So, back in June, 2017 NIST published 800-63b, encouraging replacing polices and practices that made authentication weaker. for example... Although password expiration is no longer recommended, passwords should be immediately changed if there is suspicion of compromise. Password complexity ("must have a special") is much less effective than length. Sites should focus on compatibility with password managers to encourage unique, random passwords. And most importantly, passwords themselves kinda suck, so we should consider MFA for high-valued assets.
Sure, you could use 800-63B as an excuse to extend your expiration (e.g. from 90 to 370 days), but the real message is that you should be rethinking authentication as a whole to ensure your protections are as good as you think they are and so that your defenses are commensurate with the data being defended.
Let me provide another example of arbitrary expiration having unintended side-effects. It used to be possible to stay logged into the community for months at a time. This inspired me to set up MFA, since it added little overhead to my life. Now, the community seems to require reauthentication every few days, which is a PITA. So, I am now considering turning off MFA so I can store a random-generated password. I am OK with this because (ISC)² website security is not a high-valued asset to me (I pay my AMF by bank check; they have never seen my actual account numbers).