Microsoft password expiration recommendation

(Last updated on August 9, 2021)

Microsoft Active Directory provides built-in password policies to control various aspects of password management in the environment. One of the password configurations traditionally controlled at the password policy level is password expiration. Many organizations use password expiration policies to secure Active Directory accounts as part of their overall password security. However, recent guidance has changed on password expiration. As part of the Security baseline for Windows 10 v1903 and Windows Server v1903, Microsoft has dropped password expiration policies.  

The traditional password policies are no longer effective against the often-sophisticated attacks carried out by attackers. Organizations may choose to continue using password expiration as long as they use other recommended practices, including banned password lists, and multi-factor authentication.  

Banned password lists 

Banned password lists protect against passwords that may meet complexity requirements but are easy to guess. If your organization decides to continue using password expiration policies, it is essential to do so alongside banned password lists.  

Great candidates for banned passwords include passwords that incorporate the business name, or patterns matching the business name. Many publicly available banned password lists can be downloaded and used internally. These contain common password substitutions, and other common passwords.  

Breached password lists 

Breached password lists keep track of passwords that have been part of data breaches from previous cyberattacks. Since users tend to reuse passwords, attackers can use breached password lists in new password spraying and credential stuffing attacks.  

Your organization must use breached password protection to prevent attackers from using previously breached passwords against your organization.  

Specops Password Policy 

Securing passwords is becoming increasingly crucial as attackers are using more sophisticated ways of compromising user accounts. Traditional password protections such as password expiration are no longer effective against account compromise. Better security for account passwords involves using banned password lists and breached password lists. 

Specops Password Policy provides a powerful solution to help organizations address the modern security needs for their passwords. Using Specops Password Policy, organizations can perform real-time password checks to ensure chosen passwords have not been compromised. Also, if a password becomes compromised, end-user passwords can be flagged for immediate reset. 

Breached Password Protection as part of Specops Password Policy 

If organizations decide to continue using password expiration policies, these must be bolstered with banned password lists, and breached password protection. Specops Password Policy offers a robust solution for banned passwords and breached password protection to prevent these risks in the environment.  

Tags:

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog