In its blog post detailing Windows 10 build, the company said that expiration is a defense only against the probability that a password (or a hash) could be stolen during its validity interval: Microsoft said if an organization implements security practices like banned password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, it doesn’t need expiration policies. In a security guide published in March, the National Institute of Standards and Technology (NIST) also suggested removing frequent password changes. Instead, it recommended banning commonly used passwords and patterns.
