If you’re fed up with being pestered every month to change your password, just as you’ve memorized your last one, then we have good news for you. Microsoft are in your corner, and have admitted that it’s unnecessary.
The latest official Microsoft advice, shared via their blog, suggests that regular requests to update your password may hinder rather than help your security, which is why the company suggests dropping the activity.
What has Microsoft Done?
In its most recent update to the Security Baseline of Windows 10 (v1903), Microsoft has removed its password expiration policy. This is the feature which will regularly ask you to update your password at certain intervals (usually around 30 days).
In removing it, Microsoft has unapologetically thrown large portions of the security industry into disarray, which for years has favored the constant updating of passwords to keep those pesky cyber thieves on their toes.
According to Microsoft, updating passwords is nothing more than a drop in the ocean, and there are much better ways to protect users that don’t rely on having them simply add a number to end of their existing password every month (yes, we’re on to you).
Why has Microsoft Ditched Password Updates?
Simply put, Microsoft doesn’t believe that forcing users to update their password is an effective substitute for actual account protection. In Microsoft’s words:
If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
The point is that by constantly asking your users to update their passwords, you’re creating a much less secure environment, as they are much more likely to choose an easy-to-remember password, write it down, or just forget it. All of this is done on the assumption of a threat which may not exist at all. Microsoft also argues that if your password is stolen or hacked, waiting a month before changing it would be rather ineffectual anyway.
Instead, Microsoft thinks that more effort should be put into other types of prevention. One such method, that it’s recommending to its business users, is that company IT departments feed any known compromised passwords into their system, and remove the problematic ones this way. Any users that haven’t had their passwords stolen are unaffected.
For individuals wanting to know if their password has been hacked, it’s worth regularly checking the site haveibeenpwned.com, which collects lists of millions of leaked passwords in one place, and can tell you which passwords associated with your account have been targeted, as well as when and where.
So I Won’t Ever Have to Update my Password Again?
Well, maybe. While Microsoft won’t force you to change your password without reason, other account providers you use might not be as carefree. Your employer may insist you continue to change your corporate password at set intervals, for example. Microsoft also hasn’t removed the password expiration system from Windows 10, but simply recommended that it is ineffective and unnecessary, and there are better ways to protect users.
So you might still be stuck with the task of creating inventive new passwords each month, even though you now know that it’s a pretty futile task. However, if this is the case, make sure that your new passwords are robust. We can help you with that, with our guide to creating a new password.
And if you’re fed up with the daily struggle of remembering your passwords and the need to come up with new ones, a password manager is the perfect antidote. Not only do they remove the need to ever remember a password ever again, they can also create new secure passwords on your behalf. Some are even able to tell you if your chosen password has been compromised, without you having to check this yourself. With plenty of great options available for free, plus more feature-rich versions available for just a few dollars a month, it’s an excellent way to remove the stress and worry about your details being compromised.