Microsoft is right, mandatory password changes are obsolete

From helpnetsecurity.com

Microsoft has recently come out and said that mandatory password changing is ancient and obsolete. This goes directly against everything we were trained to think for the last couple of decades, and against most compliance directives including some of the most dominant security standards. And it is correct.

If anything, Microsoft hasn’t gone far enough: password changing is the visible tip of the iceberg – there are many other major inconveniences for our users that make bad security policy and should be done with.

One of the most destructive notions against good and practical IT security is the supposed axiom that security is the opposite of simplicity. This manifests in the popular “Dilbert” comics that depicts the typical office IT environment and has a recurring character called “Mordac the Preventer of Information Services”, which comes to capture the common belief that the IT security team is there to circumvent and ideally block all usable functions.

Read more…