Microsoft: changing passwords frequently is an 'archaic and obsolete' request

Periodic modifications in the password can cause more damage than good. To claim it was Microsoft in a post released at the end of May and back in vogue in those hours thanks to some specific American locations, in which we read that in fact the requirement is only a type of "minor, outdated and outdated mitigation." This practice, however, has continued to be recommended by Microsoft for decades.

In the article, Microsoft indicated that the password change had been removed from the fundamental safety demands with May 2019 Update. The reason for changing viewpoint on the topic is that it has been amply proved over time that passwords that are simpler to "crack" are simpler to remember, such as names or quotes from film sentences or books. Attackers often use dictionaries of millions of words fed to optimized GPUs for the purpose of "detecting" possible passwords by trial and error, starting with any stolen hashes, if any, representing clear-text passwords.

Moreover, exchanging letters with comparable numbers (e.g. "o" with 0, or I with 1) is not sufficient, as it is very simple to generate "laws" to simply alter traditional phrases with numbers. To date, passwords considered to be the safest are those with at least 11 characters, better if selected randomly between letters, symbols and numbers in the upper and lower case. The same safety specialists have stressed that periodically changing passwords can be more harmful than anything else as it pushes users from time to time to choose stronger passwords.

Over the years, however, numerous businesses, including Microsoft, have continued to advise regular password adjustments. In his post, however, the company now notes that "the expiry of the periodic password is a defense only against the likelihood that a password (or hash) will be stolen during its validity interval and will be used by unauthorized users. And, if we consider that the password on Windows is now configured in 42 days, it is evident that if it has been robbed, this practice is pointless.

However, the modifications do not concern applications for password duration, history and complexity, with the firm still recommending multi-factor authentication even in the event of highly complicated passwords that are deemed safe.