Should Companies Abandon Their Password Expiration Policies?

In his TechCrunch column, software engineer/journalist Jon Evans writes that last month 'marked a victory for sanity and pragmatism over irrational paranoia.'
I'm talking about Microsoft finally -- finally! but credit to them for doing this nonetheless! -- removing the password expiration policies from their Windows 10 security baseline... Many enterprise-scale organizations (including TechCrunch's owner Verizon) require their users to change their passwords regularly. This is a spectacularly counterproductive policy.

To quote Microsoft: 'Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives... If a password is never stolen, there's no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem... If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven't implemented modern mitigations, how much protection will they really gain from password expiration...?'

Perfect security doesn't exist. World-class security is hard. But decent security is generally quite accessible, if you faithfully follow some basic rules. In order to do so, it's best to keep those rules to a minimum, and get rid of the ones that don't make sense. Password expiration is one of those. Goodbye to it, and good riddance.

Instead the column recommends password managing software to avoid password re-use across sites, as well as two-factor authentication. 'And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos.'

But if your company still has a password expiration policy, he suggests mailing Microsoft's blog post to your sys-admin. 'They will ignore you at first, of course, because that's what enterprise administrators do, and because information security (like transportation security) is too often an irrational one-way ratchet because our culture of fear incentivizes security theater rather than actual security -- but they may grudgingly begin to accept that the world has moved on.'

Read more of this story at Slashdot.