Microsoft has admitted that one of the great scourges of our time, the password reset rule, is bunk.
“When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them,” Microsoft’s Aaron Margosis wrote in a blog post-Wednesday. Worse, Margosis wrote, when people are forced to change their passwords, too often they make a “small and predictable alteration to their existing password,” or they’ll just forget it. (Duh.)
The blog post introduces a broader set of “baseline” security settings Microsoft is considering recommending to companies that use its computer management software. Think of them as defaults of a sort.
Unfortunately, Microsoft isn’t simply yanking the password reset feature, which would be the humane thing to do. In the end, it’ll still be up to your company’s tech team whether to listen to reason or continue living in the security Stone Age.
It’s worth noting that Microsoft isn’t changing recommendations around the way we create passwords. In fact, the company recommends companies increasingly ban typical bad passwords, and force employees to use multifactor authentication. (We at CNET are also fans of password managers.)
But make no mistake, Microsoft, whose Windows software powers nearly 80% of the world’s computers, has finally seen the light. “Periodic password expiration is ancient and obsolete mitigation of very low value,” Margolis wrote.