Microsoft password expiration recommendation

Microsoft Active Directory provides built-in password policies to control various aspects of password management in the environment. One of the password configurations traditionally controlled at the password policy level is password expiration. Many organizations use password expiration policies to secure Active Directory accounts as part of their overall password security. However, recent guidance has changed on password expiration. As part of the Security baseline for Windows 10 v1903 and Windows Server v1903, Microsoft has dropped password expiration policies.  

The traditional password policies are no longer effective against the often-sophisticated attacks carried out by attackers. It can take up to 300 days to discover your network has been breached. Organizations may choose to continue using password expiration as long as they use other recommended practices, including banned password lists, and multi-factor authentication.  

Banned password lists 

Banned password lists protect against passwords that may meet complexity requirements but are easy to guess. If your organization decides to continue using password expiration policies, it is essential to do so alongside banned password lists.  

Great candidates for banned passwords include passwords that incorporate the business name, or patterns matching the business name. Many publicly available banned password lists can be downloaded and used internally. These contain common password substitutions, and other common passwords.  

Breached password lists 

Breached password lists keep track of passwords that have been part of data breaches from previous cyberattacks. Since users tend to reuse passwords, attackers can use breached password lists in new password spraying and credential stuffing attacks.  

Your organization must use breached password protection to prevent attackers from using previously breached passwords against your organization.  

Specops Password Policy 

Securing passwords is becoming increasingly crucial as attackers are using more sophisticated ways of compromising user accounts. Many regulatory standards are doing away with password expiry (as long as there is no evidence of password compromise) but this is unrealistic since most orgs do not have reliable ways of knowing when a password has been compromised. Better security for account passwords involves using banned password lists and breached password lists.

Specops Password Policy provides a powerful solution to help organizations address the modern security needs for their passwords. Using Specops Password Policy, organizations can perform real-time password checks to ensure chosen passwords have not been compromised. Also, if a password becomes compromised, end-user passwords can be flagged for immediate reset. 

Breached Password Protection as part of Specops Password Policy 

If organizations decide to continue using password expiration policies, these must be bolstered with banned password lists, and breached password protection. Specops Password Policy offers a robust solution for banned passwords and breached password protection to prevent these risks in the environment.  

(Last updated on January 31, 2022)


brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at

Back to Blog