Should passwords expire? Most of the best practice guides I have seen say that they should, but there are downsides. The more often passwords expire, the more likely users are to forget them and contact support, or write them down, which is insecure. Further, it is all friction that means users get less work done.
There is plentiful evidence of the aggravation this causes, particularly when the new password has to be entered in several places. Smartphones are problematic because email accounts settings can be hard to find. For example:
guess who missed a super important email last night from my most important customer because unbeknownst to me, my smart phone was no longer receiving messages because the password had expired – even though I never selected a 90-day setting when i set up the account and had no idea such insanity was in place. It wasn;t until I logged into my computer just now and was greeted with none of my services working that I figured it out!
Even IT professionals can run into trouble:
My Office 365 account password expired today and, somewhere in the midst of the password reset I managed to lock myself out. As I only have one mailbox on the account (i.e. I am the administrator), that’s a bit of a problem.
Microsoft’s cloud services, BPOS and Office 365, both set automatic password expiry by default. This was a common complaint about BPOS. Originally you could contact support and get password expiry disabled; then Microsoft decided this was too much hassle for it (never mind the users) and made it impossible to change.
Fortunately Office 365 does allow you to disable password expiry. Here is how.
1. Install Office 365 sign-in assistant. Links are here.
2. Install PowerShell cmdlets for Office 365, downloads also in link above.
3. Run PowerShell, type:
4. Next, type:
Enter your credentials for an admin user. For example, email@example.com com and the password.
5. Finally, type:
Set-MsolUser -UserPrincipalName TheUserName -PasswordNeverExpires $true
where TheUserName is the account name concerned, for example firstname.lastname@example.org
6. Alternatively you can do this in one shot for all users:
Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true
Note that with all these commands, no news is good news. In other words, success gets you nothing other than return to the flashing cursor. Errors get you red error messages.