Microsoft will abandon the requirement of periodic change of passwords

Microsoft announced some modifications to the base line of your Windows security, a standard that guides the policies suggested and their respective settings for Windows networks. Among the new features is a drastic change in the matter of periodic password changes: instead of requiring the exchange of passwords every 60 days, the new standard leaves the need for periodic exchanges completely. These recommendations are used by companies to decide strategies and internal security policies. Some of these recommendations bring a corresponding setting in Windows, allowing the system itself if in charge of ensuring compliance with the standard. In a publication on the official blog of safety recommendations, Microsoft explains that the periodic change of password is an ancient practice that can be observed with a simple configuration setting. However, there are other more effective methods to ensure the security of authentication — such as using two-step authentication and prohibition of weak passwords and common. A company that has adopted all these practices, but that does not require periodic exchange of your passwords, you could be penalized by auditors who check compliance with the standards recommended by Microsoft. These other practices cannot be configured in Windows's own policies, so do not appear in Microsoft-specific recommendations for the settings of the system. Complexity requirements, minimum size and password history (which prohibits the reuse of previous passwords) will not be modified. Why change a password periodically? The purpose of the periodic exchange of password is to drive an attacker who has already obtained the password. If a hacker gets access to email from an employee after his password, periodic exchange will block future accesses this hacker. The problem with this mentality — how do you explain the publication itself from Microsoft — is that even a company that follows the recommendation and requires the Exchange could still be exposed for 60 days before the Exchange. Ideally, in these cases, is that the invasion is detected and the Exchange held immediately. According to Microsoft, recent scientific studies leave doubt about possible gains made with regular exchanges of passwords. This argument has been raised by experts in the area a few years back, and the Institute that sets technical standards for the United States (NIST) also removed the requirement for periodic exchanges to recommend exchanges only after activities fraudulent. Although Microsoft's recommendations are geared to companies, they also end up paying off for other services, including in the online world.