Tip #1083: Don’t expire your passwords

Mini Truckstop

Dynamics CRM TipperJonas “The Shuffler” Rapp fed us a perfect question for a security slam dunk.

Recommended expiration settings

Really?

(Jonas’s words, not mine)

Yes, really. We’ve already mentioned the brilliant password guidance in our tip 1031. Since some folks seem to have missed the memo, here’s the quote from the guidance (highlights are mine – g.d.).

Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately. Long-term illicit use of compromised passwords is better combated by:

  • monitoring logins to detect unusual use
  • notifying users with details of attempted logins, successful or unsuccessful; they should report any for which they were not responsible

Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

It’s good to see Microsoft reviewing and adjusting their security recommendations on a regular basis. Stay safe, folks!

One thought on “Tip #1083: Don’t expire your passwords

  1. MrE says:

    Currently, I have some email account which just overdoes the latter (why do I have a ‘pass’-word for??):

    90% of my inbox is full of ‘security’ alerts because I frequently switch between browsers, a wide variety of operating systems I am working with and the countries I am working from.

    Which at the end
    a) leads me to totally ignore these messages and auto-forward them to the bin
    b) worries me predominantly about the prying eyes (‘security’?) of the IT industry & governments or others (!) tracking my behaviour on every step or stumble.
    What if organised crime ramps up its technological ‘calibre’ in lockstep …

    Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *