Microsoft tells IT admins to nix 'obsolete' password reset practice

Two years ago, the National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce, made similar arguments as it downgraded regular password replacement. "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)," NIST said in a  that accompanied the June 2017 version of  "Digital Identity Guidelines," using the term "memorized secrets" in place of "passwords."Then, the institute had explained why mandated password changes were a bad idea this way: "Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password."Both the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven't been touched? "If a password is never stolen, there's no need to expire it," Microsoft's Margosis said."I agree 100% with Microsoft's logic for enterprises, which are who uses [group policies] anyway," said John Pescatore, the director of emerging security trends at the SANS Institute. "Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it."Like Microsoft and NIST, Pescatore thought periodic password resets are the hobgoblins of little minds. "Having [this] as part of the baseline makes it easier for security teams to claim compliance, because auditors are happy," Pescatore said. "Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. Great example of how compliance does not*equal security."*