• Microsoft: Forced password changes don’t work

    Home » Forums » Newsletter and Homepage topics » Microsoft: Forced password changes don’t work

    • This topic has 12 replies, 8 voices, and was last updated 6 years ago.

    Tags:

    Author
    Topic
    woody
    Manager
    April 25, 2019 at 3:30 pm #964144

    Yesterday, Sergiu Gatlan at BleepingComputer wrote about Microsoft’s newfound antipathy to forced frequent password changes. You know the problem: Eve
    [See the full post at: Microsoft: Forced password changes don’t work]

    2 users thanked author for this post.
    abbodi86, PhotM
    Reply | Quote
    Viewing 5 reply threads
    Author
    Replies
    • Lugh
      AskWoody_MVP
      April 25, 2019 at 4:14 pm #965287
      woody wrote:

      Forcing you to change them every 30 days only pushes you toward less secure passwords

      Yes, that’s been known in security circles for a long time—in corporate IT depts, not so much 🙁

      Has MS been making us change passwords, or are you just applauding them for supporting the cause? I use Windows, Outlook.com & Office 365, and can’t remember being asked to change my password.

      Even my online financial outfits seem to have learned, they no longer demand 90-day resets either.

      Lugh.
      ~
      Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
      i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

      Reply | Quote
    • cyberSAR
      AskWoody Plus
      April 25, 2019 at 5:34 pm #967472

      Always thought that was a stupid requirement. Can’t tell you how many machines I get in here with sticky notes with their login info, exchange login etc.

      They all complain because while they had a good password initially the constant changing confused them.

      3 users thanked author for this post.
      wavy, rc primak, woody
      Reply | Quote
      • rc primak
        AskWoody_MVP
        April 28, 2019 at 11:31 am #1067568

        It’s not like you can’t go to any number of online password generators and get a billion good, long, strong passwords. But humans can’t remember these passwords, so frequent changes are counterproductive. They always end up in plain-text files in My Documents or sticky notes attached to the computer.

        The best answer so far has been to use a USB Key as the “passkey”. (You can create such keys without relying on commercial interests.) Google, Microsoft and Yahoo are among many large site operators which allow some sort of USB Key to be used in place of a password now, and the trend is growing. Just don’t lose that USB Key! (There are Account Recovery options, but these are a real pain to go through.)

        -- rc primak

        1 user thanked author for this post.
        wavy
        Reply | Quote
    • Paul T
      AskWoody MVP
      April 26, 2019 at 1:30 am #980415

      The change is probably in response to the NIST change.
      https://www.enzoic.com/surprising-new-password-guidelines-nist/

      cheers, Paul

      Reply | Quote
    • Alex5723
      AskWoody Plus
      April 26, 2019 at 1:36 am #980565

      Microsoft also increased the minimum storage requirement for 1903 from 16GB to 32GB for both 32 & 64 bit OS.

      https://docs.microsoft.com/en-us/windows-hardware/design/minimum/minimum-hardware-requirements-overview#331-storage-device-size

      Reply | Quote
    • anonymous
      Guest
      April 26, 2019 at 5:28 pm #1004151

      If you’re going by unassisted password solutions, then having a unique LongBu7EasyToRemember! password is better than Short ones changing every 3 months.  Yearly change is about right.  When it comes to assisted password solutions, then having short life passwords are neutral to good.

      Eg: if you have 2 Factor Authentication, frequent password changes are neutral; there’s tradeoffs and a case could be made (I wouldn’t though).  Password managers with 32 character randomly generated passwords are secure.  Keep 3-4 long and easy to remember passwords on hand for what’s critical: Password manager, primary email, desktop system, possibly financials.  Change them every once in a while just in case, and do not reuse.  And keep these out of the password manager.

      The former option works well if you don’t need many passwords.  Problem is that the amount of sites we have that use passwords continuously grows.  I’ve got at least 40 passwords and those that aren’t in a password manager are one of about 10 of the LongBu7EasyToRemember! types.  Then I got pwned and about a dozen of my accounts became exposed (no big deal, the password they got was for tertiary stuff).  There’s probably sites I’m on that I’ve forgotten, are pre-Password Manager, and will be used maliciously in the future.

      That doesn’t discount the fact that my mother gets flustered trying to remember 3 passwords… So unassisted password solutions are quickly become obsolete.  “Sufficiently complex” passwords are only secure as long as they’re not exposed.

      Reply | Quote
    • Paul T
      AskWoody MVP
      April 27, 2019 at 2:21 am #1018752
      anonymous wrote:

      Keep 3-4 long and easy to remember passwords on hand for what’s critical: Password manager, primary email, desktop system, possibly financials.  Change them every once in a while just in case, and do not reuse.  And keep these out of the password manager

      Or, use one long and complex password for your password manager and save everything else in it. As long as you have access to a backup of your password manager you don’t need to remember other passwords.

      cheers, Paul

      Reply | Quote
      • rc primak
        AskWoody_MVP
        April 28, 2019 at 11:33 am #1067621

        And hope your password manager’s database doesn’t get hacked.

        Easier to avoid when you control the database than if it lives in the Cloud or in (gasp!) your web browser.

        -- rc primak

        1 user thanked author for this post.
        wavy
        Reply | Quote
        • Paul T
          AskWoody MVP
          April 29, 2019 at 1:36 am #1088493

          What sort of password manager has a hackable database? Oh, yes, those online ones that keep reporting they’ve been hacked.
          I use a local password manager but use the cloud for backup.

          cheers, Paul

          1 user thanked author for this post.
          rc primak
          Reply | Quote
    Viewing 5 reply threads
    Reply To: Reply #1088493 in Microsoft: Forced password changes don’t work

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




    Cancel
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.