Microsoft Windows password expiration policy: Microsoft has recognized that the Windows password expiration policy is a meaningless security measure.
The Microsoft blog says that if the password was not stolen, it makes no sense to change it. And if there is a suspicion that the account was hacked, you need to act immediately and not wait for the expiration date. Forced updates also cause users to forget their passwords or write them down, which will only increase the likelihood of hacking.
The company claims that multi-factor authentication and banned password lists are more effective security measures. Microsoft is going to remove the password from its basic security level in Windows 10 v1903 and Windows Server v1903. Requirements for the minimum password length and its complexity will not change.