go to sections menu

Here’s something to ponder: Should User Passwords Expire? Microsoft Ends its Policy from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: article commentary > Here’s something to ponder: Should User Passwords Expire? Microsoft Ends its Policy

Go to Homepage, contents or to navigation menu



Here’s something to ponder: Should User Passwords Expire? Microsoft Ends its Policy

hHere’s an article entitled Should User Passwords Expire? Microsoft Ends its Policy and it really makes you think. Here’s what I’m talking about under the heading “Password Requirements Misused” which talks about the misuse of what might be a bad practice.

It’s time to create a new password. Your system requires the password to be eight characters long, use one special character, and at least one number.
So what does the user put in place? Software Engineer Joshua Temple says it comes down to users going the easy route:

“Users don’t understand the concept of a secure password – if you can remember it, it isn’t secure. Most websites say ‘Must use one capital letter, special
character and a number, and be eight characters long and do a little jingle’, which then, typical user uses Somewords1234! instead of 71bzcWcN^BJ91*uMO”

Temple suggests that if a user falls into the above category, it is a safe assumption they do not subscribe to the concept of two factor authentication,
and even worse, there is a high likelihood this individual is reusing said poor practices across multiple services. So, even if on the off chance they
use a different password for a sensitive account, in some shape or form, it is associated to a poorly secured account. One breach of an account owned by
this ‘type’ of user, leads to a waterfall of compromised services. Changing passwords on a routine basis is a great practice, but it is only as secure
of a practice as the password itself.

This is a lot to think about, correct? I try not to use the same passwords, even if I generate it myself. I want to remember it and not use Lastpass for everything, so I’ve tried to change a combbination I can remember and come up with a very interesting pattern. I somehow can’t remember it, and maybe I should get rid of that practice. The heading that got my attention talks about not using your brain. The heading is: “Stop Using Your Brain” within the article.

For most organizations there is a balance between ease of use and security, a hypothetical seesaw, which takes us to our final point of view, our IT lead,
Shelby Baylis. While users may want to fly through logins and have everything easily accessible, organizations need to decide which end of the seesaw should
hold the most weight. For a company like ours, Baylis posits that our organization should always tip on the side of stronger security.

Because of this, Baylis feels that means regardless of Microsoft’s shift in policy, that organizations should still use time-based prompts to force users
to reset their passwords.

“Many will assume that a complex, memorable password is preferable to a regular interval. The solution is neither. Stop using your brains to create a password.
Use a password manager whether it is a local one like KeePass or a cloud-based one like LastPass. Let them generate a 20+ character password for you and
you just rely on your brain to change your master password on a regular basis.”

This is sound advice from someone who has to put up with actual users in a highly secure environment. Of course our other engineer still holds a valid
point regarding mass adoption from consumers, that enterprise organizations should draw a line in the sand and enforce whatever policy makes the most sense
for their needs.

“A regular interval for a password change is important because if your account is ever compromised in a breach and we hear about it until after the fact,
which is the case for most breaches, it is of no consequence because that password expired oodles ago since we have a password expiration policy. Stop
trying to use your brain on generating passwords. Use the password manager and its built in generator,” said Baylis.

They aren’t wrong. Now is the time that it is too dangerous for us as individuals to use our brains. They’ve got great things in this article, and I’ve only quoted two sections. I’m saddened that we really need to do this, as trying to find patterns we can remember should be a lot easier. It is time for us to stop this practice, and it should be changed, and its something I’ll continue to fix in my password practice.

One thing I tried to do was a pass phraise. If my pass phraise said: “Rusty is a good dog” I tried to make it secure by changing characters and even went so far as to put in a number like 1987. Of course, this might end up working if it is something you can remember, but I put this phraise as a note for one of my accounts, and last I knew I couldn’t get in to the thing as I had two of these types of phraises. I’m wondering if it is time to give this up and just use a manager such as lastpass, Trend Micro, Key Pass, One Password, or another not known to me or not mentioned? Its something we must think about, and we need to think about it really soon. Thoughts are welcome.


Informazioni sull'articolo

Here’s something to ponder: Should User Passwords Expire? Microsoft Ends its Policy was released on June 15, 2019 at 2:00 pm by tech in article commentary.
Last modified: June 14, 2019.


Comments Off on Here’s something to ponder: Should User Passwords Expire? Microsoft Ends its Policy

No comments yet.

Sorry, the comment form is closed at this time.

go to sections menu


navigation menu

go to sections menu