Password updates might make you more prone to identity theft

They are the words that fill office workers with dread: Your password has expired.

That annoying message often triggers a frantic update — usually just a slight variation on the original — resulting in a user trying to commit a jumble of words, numbers and symbols to memory.

But new password policy recommendations from Microsoft say that not only is the practice tedious, it makes us more vulnerable. And forget using numbers, special characters or warnings that “this password is too short.” All are out the Windows.

“Password expiration requirements do more harm than good because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other,” Microsoft proclaimed in a recent memo.

It was sent to company tech administrators of Microsoft 365, which includes programs such as Outlook, Word, PowerPoint and Skype.

The widely used password expiration standard was adopted in 2004 when numerous government agencies issued best-practice guidelines that included the bothersome periodic gatekeeping.

But in 2017, the National Institute of Standards and Technology reversed that recommendation. Microsoft, which required a change every 60 days, dropped that rule in 2019, calling it “an ancient and obsolete mitigation of very low value.” However, at the time, they didn’t change their password requirements for minimum length or complexity.

But Microsoft is questioning those rules, too, noting that humans have predictable patterns that are easily manipulated by the bad guys.

“Understanding human nature is critical because research shows that almost every rule you impose on your users will result in a weakening of password quality. Length requirements, special character requirements, and password change requirements all result in normalization of passwords, which makes it easier for attackers to guess or crack passwords,” the memo added.

Microsoft, however, isn’t throwing out all the rules. They still advise against using obvious passwords such as “12345” or “abcde” and stress that passwords should be difficult to guess. And they still recommend an eight-character minimum length. Anything longer, though, could result in weak repeat passwords such as “passwordpassword.”

And the gold standard, they say, is still multifactor authentication.

“Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events.”