Microsoft apparently now believes that having passwords expire – in other words, a system whereby the user is forced to change their login password every, say, six months – is not a useful security measure.
In a new draft piece of security guidance, Microsoft has changed its baseline rules for the next version of Windows 10 (the imminent May 2019 Update – as well as Windows Server) to drop recommendations for “password-expiration policies that require periodic password changes”.
