Tired of the Your password has expired and must be changed prompts? Here is how to stop them.

If you've recently got a new Windows device, that you have been using for a few weeks, one day you might be surprised with a sudden prompt informing you that your password has expired and you need to change it:

Windows prompts to change expired password

This is due to the password expiration policy that Microsoft creates by default for the new user accounts. Such a policy requires the user to regularly change their passwords. At first glance this might seem like a good idea. However, recent research has shown that these policies are not as secure as previously thought and may actually increase the risk of a security breach. Even Microsoft itself thinks that password expiration requirements do more harm than good External link .

The first reason why mandatory password expiration policies are not secure is that they encourage users to choose weak passwords. When users know that they will have to change their passwords frequently, they are more likely to choose easy-to-remember passwords or to use the same password across multiple accounts. This is because users find it difficult to create and remember strong passwords and are often overwhelmed with the number of passwords they need to remember. As a result, they resort to predictable and weak passwords that are easily guessable.

Secondly, mandatory password expiration policies increase the risk of password reuse. When users are forced to change their passwords frequently, they tend to choose passwords that are similar to their previous passwords or to use a pattern for creating passwords. This makes it easier for attackers to guess the new password, especially if they have already obtained the user's old password. If a user's password is compromised in one account, it is likely that the same password is used in other accounts as well, which means that an attacker can gain access to multiple accounts by guessing the password.

Thirdly, mandatory password expiration policies increase the risk of phishing attacks. Attackers can use social engineering techniques to trick users into revealing their passwords, and the more frequently passwords are changed, the more opportunities attackers have to exploit this vulnerability. For example, attackers can send phishing emails that appear to be from legitimate sources, asking users to change their passwords. If users fall for this trick, they could be giving their passwords to attackers who can use them to gain access to their accounts.

Finally, mandatory password expiration policies do not address the root cause of security breaches, which is weak passwords. Instead of forcing users to change their passwords frequently, organizations should encourage users to create strong, unique passwords and provide them with tools to manage their passwords securely. For example, organizations can use password managers that generate strong passwords and store them securely.

If you agree that password expiration is not a good strategy to follow, you can stop Windows from using such a policy on your computer. If you use a Professional edition of Windows, the procedure is quite simple: right-click on the Start button, choose Computer Management from the menu, and navigate to System Tools - Local Users and Groups - Users:

Managing user accounts on Windows Pro

Double click your user name, and change the password settings as follows:

User must change password at next logon: Off

Password never expires: On

Changing password policy options on Windows Pro

If your edition of Windows (such as Windows Home) does not offer such a tool, you can still make the changes to the password policy using Windows Terminal: right-click on the Start button, and choose Terminal (Admin) or Power Shell (Admin), and enter the following command:

Set-LocalUser -Name "your-user-name" -PasswordNeverExpires 1

Replace your-user-name with your own login name. If you are not sure, open the Start menu, and you should see your login name in the bottom-left corner:

The user login name is shown on Start menu

In our example, the login name is actually User, so that's what we use in the command:

Changing the password policy using Power Shell

To verify the command has been executed successfully, enter the following in the Power Shell prompt:

Get-LocalUser -Name "your-user-name" | select *

If the result does not contain a specific password expiration date, the change was successful and Windows should no longer prompt you to change the password:

The resulkt of changing the password policy using Power Shell

Happy password managing!

If you want to link to this article, you can use this HTML code: <a href="https://www.winability.com/your-password-has-expired-and-must-be-changed/">Tired of the Your password has expired and must be changed prompts? Here is how to stop them.</a>

Read more