Microsoft change password expiry recommendations

What have they changed? Rather than recommending 60 day password expiry, they say only change the password when you need to. Essentially, when you think it may have been breached.

Microsoft has changed their password expiry recommendations and have made a bit of a splash about it.

What have they changed?

Rather than recommending 60 day password expiry, they say only change the password when you need to. Essentially, when you think it may have been breached.

This isn’t a new standard. The NCSC (National Cyber Security Centre) has been pushing at this for a couple of years.

The thinking is that passwords aren’t a great way to secure your data and accounts. This is because:

  • By the time you make a password complex enough to be secure, it’s too complicated to remember.
  • If we enforce regular password changes, most people end up breaking the system by changing just one thing – whether adding 1 to the mandated number or cycling through punctuation or colours – if someone knows your password was RED56tea%, changing it to RED57tea% isn’t really a change.

What can be done to reduce the risk of password theft?

  • Multi-factor authentication
  • Banning poor or known leaked passwords
  • Password throttling (block more than 10 attempts in 5 minutes) and
  • Detection and blocking of logins from suspicious locations

Other password best practices include:

  • Randomly generated passwords held in a password manager, so that even you don’t know them
  • Use multi-factor authentication wherever possible – something you know (password) and something you have (your mobile)
  • Don’t reuse passwords and don’t just change one number when a password expires
  • Don’t share passwords with other people

If you suspect a weakness in your password policy and would like some advice, please get in touch.

Have a question? Give us a call.

Don’t let an IT problem slow you down. One of our friendly and helpful nTrust engineers is waiting to answer your question.

Supporting you to the
nth degree

Contact us today.

Contact us today and receive a reply back within 24 hours

Quick Contact

For us, nothing is too much trouble. So please do get in touch.



    cyber security

    How Cyber Secure
    is your Business?