Microsoft Will Stop Forcing Password Changes, but It Doesn’t Mean You Should Stop Making Changes

According to the latest statistics, nearly 56% of all Windows OS users run Windows 10, which is the most popular version of the operating system, followed by Windows 7 at 33%. Undoubtedly, in time, the gap between these numbers will grow bigger and bigger. If Microsoft doesn’t release a new version of Windows – and it shouldn’t, considering these claims – we will only see new updates being applied. The next update, known as Windows 10 May 2019 Update is right around the corner, and it is bringing in quite a few changes. The one we are most curious about is the change to the password expiration policy. Up until now, Windows 10 users were forced to change passwords periodically, but Microsoft decided that that is no longer sustainable or effective.

Aaron Margosis, the Principal Consultant at Microsoft, explained the reasons why there will be a stop to Microsoft forcing to change passwords in the Microsoft Security Guidance blog.

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. […] At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.

Undoubtedly, at some point, Microsoft forced to change passwords because the company believed it could increase the protection of users. However, that is no longer believed to be the case. On the contrary, it is now believed that if people change Windows passwords frequently, they are more likely to expose themselves to security threats. This is nothing new, and we have already covered the risks that users could be taking by changing passwords frequently HERE and HERE. The bottom line is that when people are forced to change Windows passwords, they tend to be lazy and careless, by which we mean that they do not follow the rules of creating strong and impenetrable passwords.

Mr. Margosis has reiterated this notion in the blogpost by stating that when Microsoft forced to change passwords, users were picking easy-to-guess and weak passwords. Even if they were creating strong passwords, they were writing them down, which might be equally as dangerous as creating a weak password. Furthermore, it is also known that when people changed Windows passwords, they would usually make small changes, which never increases the security.

Windows passwords post Windows 10 v1809 update

The Windows v1809 update is bringing in all kinds of changes. Besides the changes to the Windows password expiration policy, after the update, Windows 10 will have the Enable svchost.exe mitigation options policy to secure svchost.exe services. Windows 10 users will also be unable to use voice recognition to communicate with apps while the computer is locked. Furthermore, the operating system will no longer use a specific BitLocker drive encryption method.

The Windows 10 May 2019 Update will offer Windows 10 users a new Light theme, an enhanced Start menu, and a more straightforward error messaging system. We will review the changes once they come in, but we cannot wait to discuss the password expiration policy because a Windows password, for most, is the first and only key to unlock the system. While Microsoft has enabled Azure AD to offer Password protection and Custom banned passwords services, and multi-factor authentication can be employed as well, users of Desktop computers and even laptops do not always employ additional security measures because they wrongly assume that setting a Windows password is enough. This might be the reason why Microsoft is not changing strict password configurations, which include minimum password length, history, and password complexity.

Although Microsoft provides users with various tools that can help them create stronger Windows passwords and enhance the security overall, it is important to start with the basics, and, in this case, it is the password. According to NetworkWorld, Windows passwords must be at least 6-characters long and include 3 different types of characters, including upper/lower-case characters, special characters, numbers, and/or unicode characters. Unfortunately, even when you adhere to the rules, you might create an extremely weak password because, for example, Pa$$word123 is a password that meets all of the requirements, but it is easy to guess and, therefore, is considered to be weak.

How to create a Windows password that holds up

If you want to be protected, you need to lock up, and your Windows 10 password is the first one to think about. Of course, every single password you create must be strong, because your virtual security is as strong as its weakest link. You should apply the same advice to all of your devices, operating systems, social media profiles, and all other virtual accounts.

First and foremost, you want to make sure that your password is as long as possible. In today’s world, passwords that are made up of 12-14 character are no longer considered to be extremely lengthy. In fact, some people go way up when using passphrases and algorithm passwords. If you choose these methods as well, make sure you are familiar with the mistakes that people commonly make, and weigh all pros and cons. Once your long and complex Windows password is created, you might be inclined to write it down on a piece of paper or keep it in a Document file saved on a cloud drive. Writing down passwords is never a good idea, and it is, without a doubt, much safer to implement a password manager that can encrypt the password and show it to you (if you forget it, for example) only if you authenticate yourself successfully. This tool can save and protect every single password you create. Of course, when it comes to Windows passwords, you will not be able to access your password manager on the locked PC, but if you choose to encrypt and save passwords on a cloud drive, you will be able to connect to your account from any device!

If you think that your current Windows password requires an update, or if you have not added a password yet, follow these instructions to change things for the better.

How to create/update Windows password on Windows 10

1. Click the Windows/Start logo on the Taskbar.
2. Open Control Panel and then move to User Accounts.
3. Click User Accounts and then move to Make changes to my account in PC settings.
4. In the menu on the left click Sign-in options.
5. In the Password section click the Add/Change button (depends on whether you are creating or updating).
6. Enter a New password (or enter the Current password and then create New password).
7. Add the Password hint to help you remember the password if you forget it and click Next.