Password expiration is a common practice in enterprise environments – requiring users to regularly change their passwords.
This practice was sold as a security measure – however changing a password which is not compromised does not add any security – if anything it encourages to write down their for ever changing passwords.
However this could soon become a thing of the past with Microsoft removing it from the default password policy in their Active Directory product.
On 23 May 2019 Microsoft released the security baseline for Windows 10 v1903 and Windows Server v1903.
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.
The security baseline is the default security policy used in Microsoft products and are used to guide administrators when configuring the security for their network.
It’s unlikely administrators will be quick to change their own policies – but this paves the way to show that password expiration is no longer necessary – or enough – when it comes to securing a network.