Nobody likes passwords, says Microsoft’s chief information security officer. Here’s how the software giant is getting rid of them for good.
Bret Arsenault, Microsoft’s chief information security officer (CISO), who’s been at Microsoft for 31 years, says he’s only ever been publicly cheered once at the company: that was when he killed off Microsoft’s internal policy of changing passwords every 71 days.
“That’s the first time I’ve been applauded as a security person and executive,” Arsenault tells ZDNet. “We said we’re turning off password rotation within Microsoft, because we had eliminated that part of it.”
As Microsoft’s CISO, Arsenault is responsible for protecting both Microsoft products and its internal networks used by its 160,000 employees. After adding vendors into the mix, he’s responsible for about 240,000 accounts globally. And getting rid of passwords and replacing them with better options like multi-factor authentication (MFA) is high on his to-do list.
Microsoft updated its password policy in stages. In January 2019, it moved to one-year expiry, using telemetry to validate effectiveness. In January, 2020 it moved to unlimited expiry based on the results.
Microsoft also stopped recommending to customers to implement a 60-day password expiration policy in 2019 because people tend to make small alterations to existing passwords or forget new good ones.
For Arsenault, rather than make the conversation about putting MFA everywhere, he framed the change as being about eliminating passwords.