Microsoft ends password rules

Microsoft is making some big changes to the password rules for business clients.

For years, organizations using Windows, needed to have users change their passwords every 60 days or receive a red checkmark from the company for not following best security practices.  Back when I worked in the corporate world, this was the bane of my existence. There were at least six types of accounts I had to change the password for every few weeks. And since you can’t use the same password twice, it got even mroe complicated. Companies can now pick their own expiration dates on passwords or not put expiration dates on passwords at all.

Experts now believe that requiring users to frequently change passwords just leads to confusion and encourages people to pick ultra-simple passwords so they won’t have to remember a new complicated password every 60 days.

The National Institue of Standards and Technology changed their password rules a couple of years ago.

It turns out that everything you thought you knew about creating a secure password is wrong. You know the rules: mix letters and numbers, use special characters like pound signs or exclamation points, use both capital and lowercase characters, make it 10 to 12 characters long, and make sure it isn’t an actual word or phrase.  Something like U2kx9H3&*7q! would be ideal. Plus, change that password every 30 to 90 days.  Well guess what?  The guy that came up with those rules says they’re all wrong.  These strong password rules have been adopted by companies, the government, and websites. Turns out they aren’t that effective.  Yes, it’s safer than 123456 or “password” as a password. But how much safer?


Bill Burr came up with these rules almost 17 years ago while working for the National Institute of Standards and Technology.  It turns out that since these passwords are harder to remember, people tend to go for the simple ones. Plus, when they change them, they often only change one or two characters. Also knowing that a site requires one capital letter and one special character can tip hackers off when guessing a password.

Most hackers aren’t trying to guess your password manually. They’re using a program that generates combinations of letters and numbers, trying everyone that’s available. So you end up with passwords that people have problems remembering, but computers can guess pretty easily.

So what are the new rules?

  1. No more changing passwords every month or two.
  2. Get rid of requirements for upper/lower case letters, numbers, and special characters
  3. Create a password up to 64 characters in length. An uncommon phrase familiar only to you is a good choice. Example: “auntsallylovesgreentomatopicklesbutonlyinseasonwithhomemadebread”
  4. Check all passwords against lists of frequently used passwords or passwords that have been compromised.  Click here to visit PWNED Passwords. This site will let you know if your password has been used in any data breaches.


Though many tech companies have been pushing for more biometrics, the new NIST rules warn against relying too heavily on facial recognition, fingerprints, and retina scans, saying these should only be one part of security.  Among the suggestions for businesses and others trying to make accounts secure:

  1.  No more security questions or password hints.
  2. A delay of at least 30 seconds after a failed password attempt and allowing no more than 5 consecutive attempts to input a password before shutting down the account.
  3. Require multi-factor authentication.
  4. Do away with requirements for special characters, capital letters, and numbers.
  5. Allow passwords up to 64 characters in length.
  6. Don’t require users to change passwords unless there’s an issue.

What do you think about the new rules? Does it seem like a simpler way to do things? Let us know in the comments.

4 thoughts on “Microsoft ends password rules

  1. I’m all for doing away with security questions and password hints. For starters, there’s so much easily accessible information out there about everyone that I don’t think it’s all that difficult to find the answers to the security questions. Recall, that’s how Sarah Palin’s email account was hacked. Some people put a lot of information in their social media profiles (I don’t have any).
    And then, some companies have lists of questions that have no answers in my life (e.g., name of my dog, where I was married, name of oldest child). So, I always either lie or am forced to make up answers. Then, of course, I can’t remember what answers I selected, and I can’t find the paper I doodled them on, so I have to call customer service anyhow. I find 2-factor authentication to be awkward because I don’t have a phone that gets text messages. Some companies will make voice calls or send an email, but some are really horse’s butts about it. Many, especially financial institutions, seem to have veiled 2-factor authentication because some awkward method is required in the first instance, but then you can “claim” the device and a cookie is set. This works OK until housecleaning, when I delete all the cookies and have to start over. Some businesses that require security questions or invoke password hints shouldn’t bother because there’s nothing sensitive to find out. What really bugs me is businesses that store credit card information by default. I suppose hackers could find how purchases were paid for in any event, but for sure it’s gotta’ be simple if you leave it sitting there. I never store credit card information on merchant web sites, even if I am a regular customer. If it is stored by default, about which I always object, I go into my profile after I have checked out and delete the payment method.

  2. I agree, totally…but did I also read in one of your posts how we can setup our individual pcs where we don’t have to login on them each time we open it to use?
    Want to share this that I just found…when I searched in my gmail for all email from you Cynthia it all came up, but only the weekly ones, not each individual email…didn’t know if you are aware of this.
    Y’all B blessed.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.