The tech giant Microsoft wants to nix the "password expiration policy" that requires users to change their passwords every 42 days. This only applies to those who use Windows Group Policy which is typically in an office setting. If you have your own personal laptop or computer, then you would still have control over when, and if, you decide to change your password.
This TechRepublic article by Lance Whitney explains it all:
If you employ Windows Group Policy at your company, then you may enforce password expiration, which compels users to change their Windows passwords every 42 days or at some other interval. Now Microsoft is questioning the effectiveness of password expiration, to the point that it wants to remove that requirement for the next version of Windows 10.
In a Wednesday blog post, Microsoft detailed a draft of security configuration baseline settings for Windows 10 version 1903 and Windows Server version 1903, which are due for release in late May. Among the several draft settings proposed, the removal of the password expiration policy is the one that will likely affect organizations and IT administrators the most.
In its desire to drop the password expiration requirement, Microsoft argues that the policy is outdated and ineffective. The main purpose of periodically changing your Windows password is to prevent the wrong person from using it if that password had been stolen. But if the password is never stolen, there's no reason to change it. And if you have evidence that the password had been stolen, you would change it immediately rather than wait for some predefined expiration date. (continued)
Read more here: https://www.techrepublic.com/article/microsoft-wants-to-kill-windows-password-expiration-policy/
I have to agree with microsoft here. I'm a Linux user but I don't change my master password unless I suspect it has been compromised or every few years. Of course, I took over a week to come up with my password. Even if a person knows me very well, they will never guess my password even if sitting in my chair. Far to many use pet names, date of birth and other easily known info to create passwords. It's not that someone steals them really, it's that they are easy to guess. My password, according to several passwords checking sites, would take thousands of year to hack. As I said, I put some effort into creating a good one that is easy for me to remember.
I use LastPass to remember site passwords. I do change site passwords either once a year OR when there is a possible breach for that website. Thing is, LastPass generates very good passwords when set up properly but the user doesn't ever have to know what it is since LastPass remembers them and fills them in.
At one time, I could see changing passwords on a regular basis. Heck, ages ago passwords were stored as plain text but the file could only be accessed by admins. One should change them given that. Today tho, I'm not aware of any system that stores passwords as plain text.
I wonder how many people have changed their password then get confused as to what they used later and can't get into their system??
So it took all this time for a logic to sink in?