Microsoft has announced that it is dropping the use of passwords for staff, and has changed its advice that passwords should be changed after a set period of time. Andy Cory, identity management services lead at KCOM, told SC Magazine:
"The truth is that technology has moved past the stage where we constantly need to reset passwords. That’s not to say that passwords are not important - the effective management of passwords is one of the most vital aspects of corporate defence. It doesn’t matter how strong your perimeter is, or how intelligent your breach detection - if users’ accounts can be cracked open from the front, if their passwords can be guessed or stolen, then your company is as good as defenceless. Once an account has been compromised in this way an attacker will often be able to gain access to a whole plethora of sensitive information without setting off any internal alarms, with incalculable potential impact for the organisation.
"The humble password is by no means dead. It’s simply time for businesses to come up with a more intelligent strategy than a password expiry policy. Frequent password changes encourage bad passwords, whereas a good password does not have to be changed that frequently. Organisations should consider ditching a historical reliance on password expiry in favour of a more prescriptive policy on password strength, ensuring that strong but usable password rules and, preferably, multi-factor authentication are in place. As part of that, it’s also important to have a high-capacity infrastructure in place that can reliably and securely handle the authentication data - only then can you match user experience with security needs."