Microsoft Secure Score Series – 15 – Do not expire passwords

In this series, I’ll be covering the Microsoft Secure Score improvement actions. Although Microsoft does a great job on telling you what to do, some actions have a much bigger impact and need to be balanced against business needs. Some actions might not even have value for your organization. In the end, Microsoft Secure Score is meant to strengthen your security, not a contest to reach the highest score possible. In this series, I’ll pick out random actions and try to make it as simple as possible, backed with notes from the field.

Articles in this series can be read separately since they are written at random order. The articles vary in case of impact and complexity and cover multiple categories. Here is a list of all the articles in this series:

01 – What is Microsoft Secure Score?

02 – Require MFA for administrative roles

03 – Enable Password Hash Sync if hybrid

04 – Ensure all users can complete multi-factor authentication for secure access

05 – Enable self-service password reset

06 – Enable policy to block legacy authentication

07 – Turn on sign-in risk policy

08 – Use Cloud App Security to detect anomalous behavior

09 – Do not allow users to grant consent to unmanaged applications

10 – Discover trends in shadow IT application usage

11 – Turn on user risk policy

12 – Turn on customer lockbox feature

13 – Set automated notifications for new and trending cloud applications in your organization

14 – Designate more than one global admin

15 – Do not expire passwords


Do not expire passwords

Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in 60 days as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.

Passwords are evil. They haunt us for decades now, and it’s hard to get rid om them. To put this recommendation in perspective, we have to understand what the problem with passwords is, and why its better not to change them frequently.

The problem with passwords

An average person has 90+ accounts connected to their email address. All these services require strong passwords, so users have to come up with 90+ different passwords and after that, users have to remember them. Instead of that, most users pick one or two passwords and use them for all those services. Passwords from personal services are used for work, and visa versa.

Protect, don’t change

In earlier blogs, I wrote about Microsoft Identity Protection. This premium feature can protect our identity in Azure Active Directory. Leaked passwords can be detected (need password hash sync), and anomalies can be detected and automatically remediated. When passwords are leaked by either phishing, breach, or password attack, the user’s risk is raised and password change can be enforced. This is a valid reason to change a passwords.

Enforcing users to change their password on a regular base is not more secure. In most cases, the password is just slightly changed. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cyber criminals almost always use credentials as soon as they compromise them. For example, ‘SecureP@ssword1’ becomes ‘SecureP@ssword2’. Next to that, users are more likely to forget their brand new passwords, resulting in another password reset.

The same applies to long and complex passwords. If you require longer passwords, the user will end up with passwords like ‘Passw0rdPassw0rd‘ and if you require a complex password, the users will have certain patterns in their password. For example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Hackers know this stuff more than anyone in the world, so they use this knowledge for password attacks.

Multi-Factor & Legacy Authentication

This seems like an open door, but when you enable MFA for your users, and the password is stolen somehow, the attacker is stopped when they try to use these credentials. Also, keep in mind to disable legacy authentication, because attackers will rather take ‘the backdoor’ where no MFA can be enforced. (POP, SMTP, IMAP, and MAPI)

From the Microsoft docs:

The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:

  • More than 99 percent of password spray attacks use legacy authentication protocols
  • More than 97 percent of credential stuffing attacks use legacy authentication
  • Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled

Edit the password policy

In the Microsoft 365 admin center go to Settings > Security & privacy. Then Edit the password policy to never let passwords expire. You must be a global admin to edit the password policy.

Wrap things up

To make sure that your users pick secure passwords, you can configure Azure AD Password Protection, which you can also extend to on-premises. Password protection detects and blocks known weak passwords and their variants.

As I stated in the intro, passwords are evil. We have to get rid of them as soon as possible. Please have a look at FIDO2 solutions, to embrace passwordless authentication. You can start today!

More information about password recommendations:

https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

Stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *