Microsoft has published new guidelines for passwords along with their latest release of Windows 10 v1903 and Windows Server v1903.
The (Bad) State of Passwords
One of the first things Microsoft mentions is the terrible state of passwords which are made up by humans. Here's the Microsoft blog writer's take on it.
When humans pick their own passwords, too often they are easy to guess
or predict. When humans are assigned or forced to create passwords that
are hard to remember, too often they’ll write them down where others can
see them. When humans are forced to change their passwords, too often
they’ll make a small and predictable alteration to their existing
passwords, and/or forget their new passwords.
Removing Password Expirations
Microsoft is also admitting that the idea of forcing passwords to expire is ancient and makes no sense.
Again, the blog writer admits that their is no logic in expiring passwords in 60 or 90 days since the password may have been stolen at the beginning of the cycle and the cracker may have been using the password and associated account for a long time.
If it’s a given that a password is likely to be stolen, how many days is
an acceptable length of time to continue to allow the thief to use that
stolen password? The Windows default is 42 days. Doesn’t that seem like
a ridiculously long time? Well, it is, and yet our current
baseline says 60 days – and used to say 90 days – because forcing
frequent expiration introduces its own problems.
The problem is that password expiration is even a problem for the network administrators.
Stop Making Up and Memorizing Passwords
If you are still making up and memorizing passwords, I suggest you stop and make your life easier by using C'YaPass. It is 100% Open Source code so you can examine everything it does. It generates strong passwords for you for each site you want to login to.
If you don't want to download anything, you can try it here at this site just to see how it works.
All the code runs in JavaScript on your client and nothing is passed over the network. Password keys are stored in the LocalStorage of your browser and only that browser instance will have those.
Try it at: http://cyapass.com/js/cya.htm
Try it out today and make your life easier. Once you decide you want to use it you can download the free Windows app and the free Android app.