Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

Should You Follow Microsoft’s Guidance to Stop Expiring Passwords?

3 min read
Last updated January 19, 2022

You may have heard that Microsoft changed their guidance on password expiration policies. On May 23, 2019, they released a blog post explaining their decisions.

As cybersecurity experts already know, the average human has a password that is easy to type and therefore, easy for a computer to guess. And forcing them to change the password every few months doesn’t change the fact that their password is easy to guess. Modern computers can brute force an eight-character alphanumeric password in hours. Changing one or two characters in that eight-character password isn’t going to make it any harder.

Get the Free Pen Testing Active Directory Environments EBook

So the question is: should you follow Microsoft’s guidance and remove your password expiration policy? Well, it’s complicated.

Password expiration policies are just one brick in your cybersecurity wall. You shouldn’t take a brick out of your security wall unless you have defenses that can compensate. You should consider the greatest risk factors for your organization and develop a cybersecurity strategy to mitigate those exact risk factors.

Why Eliminate Password Expiration Policies?

Microsoft has an entire section in their blog post that answers this question, but the crux of their argument is that password expiration is a low-value security measure. Thus they no longer recommend a password expiration policy as part of Microsoft’s Cybersecurity Baseline.

Microsoft isn’t telling you to turn off all your password expiration policies today. They are telling you that you need more than just a password expiration policy in your strategy.

Should I Remove My Password Expiration Policy?

Most organizations should keep their current password expiration policy in place for now.

Consider this simple question: What happens when a user’s password is stolen?

Password policies help mitigate the persistence by cutting an attacker’s lifeline into the network. The shorter the password expiration policy, the shorter their window to compromise systems and exfiltrate data (if the attacker hasn’t established another entry point). Microsoft believes that these same password policies designed to rotate out compromised credentials are actually encouraging bad practices such as reused passwords, weak password iteration (Spring2019, Summer2019, Winter2019), post-it noted passwords, and many others.

In short, they believe that the risk introduced by bad password practices are greater than the risk mitigated by password expiration policies. We here at Varonis sort of agree, but there has been a severe misrepresentation of what it takes for a company to be ‘No-Password Expiration’-ready.

This high-usability security change is easy to pounce on, but you could end up increasing your risk profile if you lack other industry best practices such as:

  • Passphrases: Enforcing long (16 characters or more) and complex passwords make it difficult to brute force. The old standard eight character password minimum is crackable in a matter of hours for modern computers.
  • Least privilege model: In a world where persistency is non-exipiring, knowing that user’s have access to the least amount of data possible is crucial.
  • Behavioral monitoring: You should be able to detect when an account has been compromised based on deviations in normal login and data access activity. Static analysis alone won’t cut it.
  • Multi-factor authentication: Even if an attacker has the username and password, multi-factor authentication acts as a major hurdle for the average hacker.

Are Passwords Finally Dying?

That is the question, isn’t it?

A few technologies are looking to replace passwords as the de facto authentication protocol. FIDO2 stores identity data on a physical device. Biometrics, despite it’s “unique but not private” concerns, is also an option.

The new paradigm seems to be authentication methods that can’t be accidentally shared or easily stolen.

So far, those technologies haven’t broken through the enterprise into the mainstream.

Until then, consider keeping your password expiration policy in place and your users inconvenienced just a little bit, for the greater good.

How Varonis Helps with Credential Theft

Varonis provides additional protections to help reinforce your password policies. Varonis monitors file activity, Active Directory events, perimeter telemetry, and more to build a user-specific baseline. Varonis then compares that baseline to current activity and matches current behavior to a Varonis threat model that could indicate a compromised user account.

The Varonis Active Directory Dashboard highlights potential accounts that are at risk from compromise, like service accounts with administrator access, non-expiring passwords, or passwords that are not required to comply with password requirements at all.

Varonis threat models detect all sorts of login anomalies, like odd login times, weird geographic locations, logins from a new device, potential brute force attacks, and ticket harvesting.

Until then, consider keeping your password expiration policy in place just a little bit longer.

To see Varonis in action, check out the Live Cyber Attack Workshop. We’ll show you how to execute an attack and then demo how to detect and investigate the attack using the Varonis platform. It’s run by our expert team of incident response and forensics pros with 8 live sessions every week!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
6-prompts-you-don't-want-employees-putting-in-copilot
6 Prompts You Don't Want Employees Putting in Copilot
Discover what simple prompts could expose your company’s sensitive data in Microsoft Copilot.
generative-ai-security:-preparing-for-salesforce-einstein-copilot
Generative AI Security: Preparing for Salesforce Einstein Copilot
See how Salesforce Einstein Copilot’s security model works and the risks you must mitigate to ensure a safe and secure rollout.
dspm-buyer's-guide
DSPM Buyer's Guide
Understand the different types of DSPM solutions, avoid common pitfalls, and ask questions to ensure you purchase a data security solution that meets your unique requirements.
speed-data:-preparing-for-the-unknown-in-cybersecurity-with-ian-hill
Speed Data: Preparing for the Unknown in Cybersecurity With Ian Hill
Ian Hill, the Director of Information and Cybersecurity for Upp Telecommunications, offers his take on AI and the future of tech, shares his tricks for a good cyber defense, and explains why the best-laid plans of mice and security professionals often go astray.