Microsoft published a draft of the security baseline for Windows 10 version 1903, the May 2019 Update, and Windows Server 2019 (v1903).
While you can download the draft and go through it word by word, you may also head over to the Microsoft Security Guidance blog if you are just interested in the things that changed when compared to security baselines for previous versions of Windows.
The blog post highlights eight changes in particular, and at least one may make the life of computer users more convenient. Microsoft dropped password expiration policies that require frequent password changes from the security baselines for Windows 10 version 1903 and Windows Server 1903.
I worked in IT support for a large German financial organization more than 15 years ago. Security policies were set to very high standards and one of the most painful policies was the enforcement of regular password changes. I cannot remember the exact interval but it happened multiple times a year and rules dictated that you had to pick a secure password, could not re-use any of the parts of the existing password, and had to follow certain guidelines in regards to password selection.
This resulted in many support requests by employees who could not remember their passwords, and others writing their new passwords down because they could not remember them.
Microsoft explains the reason behind the dropping of the password expiration policies in the blog post. Microsoft mentions the same issues that I had when I worked in IT:
When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.
Microsoft notes that password expiration policies help against a single scenario only: when passwords get compromised. If a password does not get compromised, there is no need to change passwords regularly.
The default time period for the expiration of passwords was set to 60 days, and the Windows default is 42 days. It was 90 days in earlier baselines; that is a long time and not very effective either as a compromised password may not be changed for several weeks or even months so that an attacker may use it for that period.
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.
Microsoft notes that other security practices improve security significantly even though they are not in the baseline. Two-factor authentication, the monitoring of unusual login activity, or enforcing a blacklist of passwords are mentioned by Microsoft explicitly.
Other changes that are noteworthy:
Now You: What is your take on password expiration policies?
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.