In its latest security blog https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/), Microsoft announced a major change in their security configuration baseline. In short, they are dropping the password expiration policies: if you have your Windows built set to deafult, no longer will Windows ask you to change your password every 42 days.
A bold and game-changing move. Their logic is based on three major problems with how people use passwords:
1. People tend to choose weak/easy passwords.
A 2019 survey by CNN (https://edition.cnn.com/2019/04/22/uk/most-common-passwords-scli-gbr-intl/index.html) showed that ‘123456’ is still the most popular password for people to use. As most people use their email address in combination with their password to log in, and email addresses are usually publicly available, this makes life very easy for anyone who wants to get hold of your personal information. Millions of people are victims of identity theft every year, and the numbers are rising.
2. People tend to reuse their passwords.
Can you remember 50 different unique passwords at the same time? And would you be able to completely change that list on a monthly basis? Even if you could, it would be a major pain in the ass. So we tend to use the same password for everything, or with a slight variation, because it makes life easier. This also makes you vulnerable, because if one password gets stolen, a hacker will most certainly try and see what other services he can get access to.
3. We don’t store our passwords safely.
Although more and more people use password managers nowadays, I often find that either people don’t know of the existence of password managers or they don’t trust a singular entity to have possession of all of their passwords. Instead, they put post-its on computers, leave notes in their drawer at work or keep pieces of paper in their wallet. Although this might lower the risk that your information gets stolen digitally, it is still not a very secure method.
Knowing the above, Microsoft’s reasoning is that making people change their passwords on a regular basis, means they are more likely to use weak passwords, more likely to reuse them and more likely to store them unsafely. Instead, they recommend that people do the following:
1. Choose a strong password that they only change when informed of a breach
2. Use multi factor authentication (usually with help of their phone)
3. Use a password manager to store passwords
There are, however, a few flaws in their logic. For one, those who are not concerned with protecting their online data, will probably not change their behavior. They will probably just stick with the password they have right now for eternity. This will be the password that all of their other apps use as well, and a password manager is either too complicated, too much work, or (in many cases) too expensive) The same goes for 2FA. It is just an extra hurdle when signing in, and most people just cannot be bothered. So, while MS’s logic is good, and enough reason to let go of their policy, in itself, it will not make the internet safer.
What would make it safer?:
1. Change the policy so that if consumers want to get rid of the password renewal policy they have to install another added form of security. Whether this is facial recognision, or 2FA, or soemthign else should be up to the user, as long as it adds to their security.
2. When you have to inform users of a security breach, do not just send them an email but make it a mandatory pop-up screen in their Windows build and make sure they cannot go further without changing their password. If they can push updates about Privacy&Terms, it shouldn’t be too difficult to do this.
3. When users want to connect external services to their MS products, actively warn them about password reusage and 2FA. Explain to them that a chain is only as strong as its weakest link. Sounds like an open door, but from what I have seen, this cannot be repeated often enough.
People are responsible for their own actions online but the growing complexity of Internet+ does not release companies from their responsibility to creat awareness and a safe environment.