Microsoft now apparently thinks that password expiration, ie a system where the user is forced to change their login password every six months or so, is not a useful security measure. In a new version of the security guide, Microsoft has changed its ground rules for the next version of Windows 10 (imminent May 2019 Update, as well as Windows Server) to remove "security policy" recommendations. expiration of passwords that require periodic password changes." Microsoft says that when users are forced to create hard-to-remember passwords, they often write them down to make them easier to remember, with obvious security risks. And, when people are forced to change passwords, "too often, they'll make a small, predictable change to their existing passwords and/or forget their new passwords." Microsoft's message on TechNet explains: "Recent scientific research questions the value of many long-standing password security practices, such as password expiration policies, and instead points to "Better solutions, such as enforcing lists of banned passwords (Azure AD password protection is a great example) and multi-factor authentication." In addition, he clarified that if it is "given" that a password can be stolen from the user, for how long is it acceptable to allow the thief to continue using and potentially abusing that identifier? Connection? Windows default time is currently 42 days. the post notes: "Doesn't that seem ridiculously long? Well yes, and yet our current baseline says 60 days and 90 days, because forcing frequent expiration introduces its own problems. And if you are not sure that the passwords will be stolen, these problems will not be of any use to you. "Also, if your users are willing to respond to parking surveys that exchange a candy bar with their passwords, there's no password. This expiration policy will help you." This is, of course, a good point. it concludes that expiring passwords in defined time periods is "very low value old and outdated mitigation", and the company does not believe in it. It's worthwhile for basic Windows security guidelines to enforce a specific value. In other words, companies are free to do what is best for them, Microsoft makes no recommendation for this in the future. It's just a draft document at the moment, meaning these are just proposed changes, but Microsoft certainly seems to have invoked a strong argument behind the move. this (potential) security change obviously doesn't affect Windows 10 users at home. However, many of us use password-protected systems or services of some sort at work, and these often have enforced password reset policies. therefore, it could lead to rethinking these strategies, given the powerful Microsoft arguments mentioned above.