Windows 10 supports two account types. One is the classic local account which is available in all previous versions of Windows, while the other is the modern Microsoft account that connects to the company's cloud services.
Prior to Windows 10 of the 1903 version, Microsoft used password expiration policies for better security dating to earlier versions of Windows NT.
This changes (at last) with the new version.
In short, Microsoft states:
If a password is violated, it should be changed immediately. If the password has not leaked, there is no need to change it. Temporary password change can cause users to forget their new password or write it somewhere (to remember it) from where it can be traced.
The official publication in the blog of the company says:
Why are we abolishing our password expiration policies?
First, to avoid inevitable misunderstandings, we are only talking about removing password termination policies, and we do not propose changes to the requirements for the minimum password length or complexity.
Periodic password expiration is a solution against the possibility of a password (or hash) being stolen during duration of its validity period and be used by an unauthorized entity. If the password is never stolen, it does not need to expire. And if you have evidence that a password has been stolen, you'd probably change it right away instead of waiting for it to expire to fix it. problem.
Periodic password expiration is an ancient and outdated mitigation of very low value, and we do not think it is useful to impose it. At the same time, we should reiterate that we recommend the additional protections.
Therefore, password expiration policies will be past the upcoming version of Windows 10 1903.
