This is not to say that Microsoft is dropping its password-expiration policies on all its software and services, but the new security baseline makes it clear that security has changed throughout the years, and expiring passwords is no longer a top priority. In a new article at the Microsoft Security Guidance blog, the company explains, if a password never gets compromised, then it’s no need to expire it to force the user to change it. On the other hand, if a password gets compromised, there’s no point to wait until it expires, because you want to change that password immediately. Furthermore, periodically expiring a password has its caveats. For instance, it makes easier for users to forget their password, and pushes users to write down the password in the back of the keyboard or on a sticky note. Microsoft also says: “if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.” Also, in the new security baseline draft, the company acknowledges that password security is an ongoing problem, but banning certain passwords, using multi-factor authentication, efficiently detecting password-guessing attacks and anomalous login attempts are more effective measure to keep the network and data secure. Starting with the May 2019 Update for Windows 10 and Windows Server, Microsoft is planning to stop using password-expiration policies from its baseline, but the policies for complexity, history, length and other requirements for setting up a password will remain. All content on this site is provided with no warranties, express or implied. Use any information at your own risk. Always backup of your device and files before making any changes. Privacy policy info.