Skip to main content

Microsoft drops baseline Windows 10 password expiration policy

Microsoft is getting rid of the 60-day password expiration policy for organizations using its baseline security configuration in Windows 10 with the May 2019 Update. In a draft release of security baseline configurations posted this week (opens in new tab), the company explained that password expiration is no longer a useful tool for preventing breaches, and it often causes more headaches than it's worth (via Ars Technica).

By default, Microsoft's current baseline configuration forces users to change their passwords every 60 days. However, as Microsoft explains, this can have the unintended effect of causing people to choose simplistic passwords that are easy to crack, or they will forget their new passwords altogether. Further, if a password is stolen, any set period of time for expiring passwords could still be a liability; the most effective approach would be to have that password changed immediately.

From Microsoft:

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.

In addition to dropping password expiration policies from the baseline configuration, Microsoft is also changing the baseline BitLocker encryption to 128-bit encryption. Previously, Microsoft defaulted to the strongest 256-bit encryption, but the company feels that 128-bit encryption is effective enough. Further, there can be a noticeable drop in performance when moving from 128 to 256-bit protection.

For more on Microsoft's draft security policies and proposals, you can view the company's full blog post (opens in new tab).

Cheap PC accessories we love

Take a gander at these awesome PC accessories, all of which will enhance your Windows experience.

Anker 4 port USB 3.0 hub (opens in new tab) ($10 at Amazon)

Whether on a desktop or laptop PC, you always need more ports to connect things to. This hub gives you an additional four USB 3.0 Type A ports.

Ikea Fixa Cable Management System (opens in new tab) ($11 at Amazon)

This IKEA cable management kit is your ticket to a clean setup. It's simple and functional.

NZXT Puck (opens in new tab) ($20 at Amazon)

This clever little accessory has powerful magnets on the rear to make it stick to any of the metal panels on your PC case or anything else. It's great for hanging accessories like headsets.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

1 Comment
  • Concerning the BitLocker Encryption Level...
    I left ( or rather, reactivated it after I partitioned the SSD ) it enabled on both my Surface Books when I bought them.
    According to that article, which level would they have? The performance sucking 256-bit or the good enough 128-bit and if it's the former how do I convert them to the latter?
    Thanks in advance =) Edit: Nevermind... Just type in manage-bde -status into the Windows PowerShell (Admin) window and it'll display the level - In my case already 128-Bit.