Industry experts have been predicting the death of the humble password for decades. To date, those predictions have amounted to nothing.
Passwords are still with us, and still serve as the cornerstone of security, even as other measures have arisen alongside them to help better secure your all-important data.
Even though passwords aren't gone, the security landscape is changing. Recently, Microsoft has announced another step down that path of change. They're doing away with the notion of forced password changes.
The logic is hard to argue with. The policy of forced password changes really doesn't offer all that much in the way of protection. It often creates as many headaches and problems as it solves, because users tend to make small, virtually meaningless and easy to predict changes to their passwords. Or, they often forget their new ones anyway.
While Microsoft is no longer forcing password changes at periodic intervals, they are leaving the option available for Enterprise users to establish their own forced password change thresholds if they choose to do so. In tandem with the coming change, they're also recommending that security professionals perform a periodic review of passwords to ensure that the passwords in use aren't on the list of the UK National Cyber Security Centre's list of the 100,000 worst passwords.
One important thing to note is the fact that the company isn't making any changes to its requirements for minimum password length, complexity, or history. That is essential in terms of keeping users from simply recycling the same two or three passwords, switching endlessly back and forth between them.
It's also worth mentioning that these changes could benefit companies that are currently under audit. That is if the auditing agency is using Microsoft's security baseline as a guideline. That makes this seem like a small , but it is more significant than it may first appear.