Byebye 60-day password expiration

by Volker Weber

For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.

I wonder how many years it will take for Enterprise IT to catch up.

More >

Comments

At least one can say: Shots fired.

Frank Quednau, 2019-04-25

60! ;-)

Markus Dierker, 2019-04-25

Solange in Deutschland das BSI im IT Grundschutz seine Meinung dazu nicht ändert, wohl nicht so schnell.

Gerhard Heeke, 2019-04-25

BSI Grundschutz ist das eine.
Viele in der IT haben nicht mehr die Motivation neues zu tun und halten lieber an alten Dingen fest - "Die man kennt und beherrscht".
So lange hinter Firewalls und Jump-Servern noch Windows XP Maschinen mit Teamviewer stehen, die ach so wichtige "Businesskritische Applikationen" betreiben, werden wir auch noch Passworte sehen...
Anlagen aus den 80ern mit DOS 6.22 - Passworte.
Motivationen und Gründe dafür sind hinlänglich bekannt.
In den o.g. Szenarien würde das BSI rennen.
Das ist leider Realität.
Das findet man überall.

Jürgen Sting, 2019-04-26

Nachdem sie es hier in einem DAX-30-Konzern mal mit 35 Tagen oder so versucht haben, wurde es vor einigen Jahren schon auf 90 Tage geändert. Das war wahrscheinlich den Top-Managern zu nervig. :)

Neulich haben wir endlich einige interne Windows (NT!)-Rechner vom Login mit Passwort "admin" umgestellt... Wenn interne Geldgeber keinen "Pott" für Upgrades bekommen, dauert es halt alles etwas.

Thomas Meyer, 2019-04-26

Vorteil am NT Rechner: Der ist mittlerweile so alt, das die Chance steigt, dass die Malware damit nix anfangen kann.....

Patrick Bohr, 2019-04-26

@Patrick: Berichten zufolge hat WannaCry bereits auf Windows XP SP1 nur noch einen BlueScreen erzeugt... :-)

Ragnar Schierholz, 2019-04-26

My employer (one of the biggest companies in this country) just changed the minimum password length to 15 and got rid of the expiration policy for our main accounts. Instead there is some routine running all the time which checks the passwords. If it can crack yours then you’ll be forced to change your password. This way only people with weak passwords will be bothered and will hopefully learn.

Now there is only one problem left: too many systems which do not use the main account.

Torsten Rausche, 2019-04-29

argument against no expiration: users use work password also on private accounts (like spotify).

Problem with that: on of these private accounts lands one a password list and then the company account is easily hacked

Or do I miss s.th. here?


Matthias Welling, 2019-04-30

First: It is very unlikely that they use their company ID as their Spotify ID. But more importantly, passwords are unsafe, even if they are changed every 60 days. You need to do better.

Volker Weber, 2019-04-30

Recent comments

Sven Bühler on Next year I want to work ... at home and in the office at 13:31
Volker Weber on Next year I want to work ... at home and in the office at 13:01
Eric Bredtmann on Cowboy 3 :: Smartes Single-Speed E-Bike at 11:51
Jochen Schug on EPOS Adapt 660 :: Three Questions at 10:21
Hubertus Amann on Next year I want to work ... at home and in the office at 10:13
Nina Wittich on Next year I want to work ... at home and in the office at 10:12
Volker Weber on Next year I want to work ... at home and in the office at 09:38
Patrick Bohr on Next year I want to work ... at home and in the office at 09:36
Ragnar Schierholz on Next year I want to work ... at home and in the office at 22:22
Yves Luther on Die Jabra-Headsets haben sich bewährt at 22:19
Marko Knaack on Google Chat & Meet verbergen at 16:20
Sven Richert on Cowboy 3 :: Smartes Single-Speed E-Bike at 14:15
Martin Imbeck on Cowboy 3 :: Smartes Single-Speed E-Bike at 13:43
Volker Weber on Cowboy 3 :: Smartes Single-Speed E-Bike at 12:18
Sven Richert on Cowboy 3 :: Smartes Single-Speed E-Bike at 12:13
Frank van Rijt on Jabra Elite 85h :: Stuff that works at 11:40
Martin Imbeck on Cowboy 3 :: Smartes Single-Speed E-Bike at 10:54
Volker Weber on Cowboy 3 :: Smartes Single-Speed E-Bike at 10:54
Volker Weber on Five years :: 1824 days at 10:47
Oliver Leibenguth on Five years :: 1824 days at 10:45
Volker Weber on Cowboy 3 :: Smartes Single-Speed E-Bike at 08:58
René Fischer on Jabra Elite 85h :: Stuff that works at 08:53
Ragnar Schierholz on Jabra Elite 85h :: Stuff that works at 08:18
René Winkelmeyer on Cowboy 3 :: Smartes Single-Speed E-Bike at 08:05
Dominique Roller on Cowboy 3 :: Smartes Single-Speed E-Bike at 07:53

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 19:14

visitors.gif

Paypal vowe