For decades, IT administrators and Windows users alike have lived by a simple, seemingly unassailable security commandment: change your password regularly. This practice, embedded in corporate policies and home user habits, was considered fundamental to protecting digital identities. However, Microsoft has now officially declared this long-standing practice not just ineffective, but actively harmful to security. In a landmark shift, the company has removed the recommendation for periodic password expiration from its Windows security baseline, aligning with modern security research and the realities of how users behave. This move represents a fundamental rethinking of identity security, moving away from outdated, user-hostile practices and toward a model centered on stronger, unique passwords and robust multi-factor authentication (MFA).

The End of an Era: Microsoft's Official Policy Shift

The change is formalized in the latest version of the Microsoft Security Baseline for Windows 10 and Windows 11. For the first time, the baseline configuration no longer includes a requirement or recommendation for periodic password expiration. Microsoft's own documentation now states that \"periodic password expiration is an ancient and obsolete mitigation of very low value\" and that it often leads to weaker, predictable passwords as users make minor, incremental changes. This policy reversal didn't happen in a vacuum. It follows years of guidance from leading standards bodies. The National Institute of Standards and Technology (NIST) in its Digital Identity Guidelines (SP 800-63B) explicitly advises against mandatory periodic password changes, noting they provide little benefit and can actually reduce security by encouraging poor password hygiene. Similarly, the UK's National Cyber Security Centre (NCSC) guidance aligns, stating organizations should not enforce regular password changes.

Why Forced Password Changes Are a Security Antipattern

The core problem with forced expiration is human behavior. When faced with a mandate to create a new password every 30, 60, or 90 days, users don't invent strong, unique passwords from scratch. Instead, they engage in predictable patterns that dramatically weaken security.

  • Password Incrementing: The most common pattern is simple incrementing, like changing Spring2023! to Spring2024! or Password1 to Password2. Attackers who obtain an old password can easily guess the new one.
  • Password Recycling: Users often reuse a small set of base passwords, making minor substitutions (e.g., P@ssword to P@ssw0rd). This creates a pattern that credential-stuffing attacks can exploit.
  • Weak Password Creation: The annoyance of frequent changes leads to the creation of simpler, easier-to-remember (and easier-to-crack) passwords. Users prioritize memorization over complexity.

Security researcher and author Per Thorsheim has long criticized periodic changes, arguing they train users to create weak passwords. Microsoft's own telemetry and security incident data supports this, showing that breached accounts often had recently changed passwords that were trivial variations of previous ones. The policy created a false sense of security while doing little to stop determined attackers who use phishing, keyloggers, or credential-stuffing attacks with breached password databases.

The Pillars of Modern Password Security

By discarding the flawed model of expiration, Microsoft and modern security frameworks advocate for a more effective, user-centric approach built on three key pillars.

1. Enforce Strong, Unique Passwords from the Start

The focus shifts to the initial creation of a robust password. Policies should mandate a minimum length of at least 12-14 characters, as length is the primary factor in resisting brute-force attacks. Complexity rules (requiring upper/lower case, numbers, symbols) are still valuable but secondary to length. Crucially, systems must check new passwords against databases of known breached passwords (like Microsoft's own banned password list integrated with Azure AD) and common dictionary words to prevent the use of weak, compromised credentials.

2. Universal Adoption of Multi-Factor Authentication (MFA)

This is the non-negotiable cornerstone of modern identity security. A password alone, no matter how strong, is a single factor. MFA adds a second (or third) factor—something you have (like a phone with an authenticator app or a hardware security key) or something you are (like a fingerprint or facial recognition). Microsoft's data is unequivocal: MFA blocks over 99.9% of account compromise attacks. The new security model assumes passwords will eventually be phished or leaked; MFA is the critical safety net that renders a stolen password useless on its own. Windows Hello for Business, which uses biometrics or a PIN tied to the device's Trusted Platform Module (TPM), is a prime example of robust, phishing-resistant MFA built into the Windows ecosystem.

3. Continuous Monitoring and Threat Detection

Instead of relying on a scheduled password reset, security should be dynamic. This involves:
- Risk-Based Conditional Access: Using signals like login location, device health, and user behavior to trigger step-up authentication (like requiring MFA) or block access outright when risk is high.
- Credential Monitoring: Proactively scanning the dark web and breach repositories for corporate email addresses and passwords, then forcing a reset only when a credential is known to be compromised—a targeted, risk-driven response instead of a blanket, periodic one.
- Impossible Travel and Anomaly Detection: Leveraging cloud intelligence in services like Microsoft Defender for Identity to flag logins that are geographically impossible or deviate from a user's normal pattern.

Implementation and Management for IT Administrators

For system administrators, this shift requires updating Group Policy Objects (GPOs) and identity management platforms.

  • Group Policy: The key setting is Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum Password Age. Setting this to 0 means the password never expires. This should be combined with enforcing a strong Minimum Password Length (e.g., 14 characters).
  • Azure AD / Microsoft Entra ID: Administrators can disable the \"Set passwords to never expire\" option in user properties or via bulk PowerShell commands. More importantly, they should enable and enforce Security Defaults or configure Conditional Access policies to require MFA, especially for administrative roles and access to sensitive data.
  • Communication is Key: This policy change can be jarring for users conditioned to frequent changes. IT departments must clearly communicate why the change is happening—that it's a security upgrade, not a relaxation—and emphasize the continued importance of strong, unique passwords and the critical role of MFA.

The Bigger Picture: A Phishing-Resistant Future

Microsoft's move away from password expiration is part of a broader industry trajectory toward eliminating passwords altogether. The vision is a passwordless future where users authenticate via biometrics (Windows Hello), hardware security keys (FIDO2), or certificate-based authentication. These methods are inherently more secure as they are resistant to phishing and server breaches. Until that future is fully realized, the current best practice is a pragmatic hybrid: de-emphasize the password by not forcing frequent changes, but rigorously protect it with great length, uniqueness, and—most importantly—a strong second factor. By abandoning the counterproductive ritual of forced expiration, organizations can reduce help desk costs for password resets, improve the user experience, and, paradoxically, build a significantly more resilient security posture. It's a clear case where doing less—removing a burdensome, ineffective policy—achieves more in real-world security.