As the blog post explains, if a password is never stolen, you do not need to do it. And if a password is suspected of being stolen, you would want to act immediately, not wait until the expiration date. Forced updates also mean that more users write their passwords down or forget them completely. Plus, as Microsoft says “If your users are the kind who is willing to respond to car parking surveys that replace a candy bar for their passwords, no password exit policy will help you.”
The company acknowledges that the password security status is problematic, but it says that multi-factor authentication and banned password lists are more effective security measures. Microsoft suggests that the password release policy should be released from its security base line for Windows 1
0 v1903 and Windows Server v1903, but it will affect a relatively small subset of users. The company does not plan to change requirements for minimum password length, history or complexity. And although it may not contain multiple factor authentication or listed passwords in the security base, the blog post strongly recommends users additional protection. So, you can keep updating your passwords if you want, but even Microsoft will tell you that it won’t keep you safe.