Microsoft has changed their password expiry recommendations and have made a bit of a splash about it.
What have they changed?
Rather than recommending 60 day password expiry, they say only change the password when you need to. Essentially, when you think it may have been breached.
This isn’t a new standard. The NCSC (National Cyber Security Centre) has been pushing at this for a couple of years.
The thinking is that passwords aren’t a great way to secure your data and accounts. This is because:
- By the time you make a password complex enough to be secure, it’s too complicated to remember.
- If we enforce regular password changes, most people end up breaking the system by changing just one thing – whether adding 1 to the mandated number or cycling through punctuation or colours – if someone knows your password was RED56tea%, changing it to RED57tea% isn’t really a change.
What can be done to reduce the risk of password theft?
- Multi-factor authentication
- Banning poor or known leaked passwords
- Password throttling (block more than 10 attempts in 5 minutes) and
- Detection and blocking of logins from suspicious locations
Other password best practices include:
- Randomly generated passwords held in a password manager, so that even you don’t know them
- Use multi-factor authentication wherever possible – something you know (password) and something you have (your mobile)
- Don’t reuse passwords and don’t just change one number when a password expires
- Don’t share passwords with other people
If you suspect a weakness in your password policy and would like some advice, please get in touch.