Security assessment: Do not expire passwords

This article describes the Do not expire passwords security assessment, which indicates where users have settings for passwords that don't expire.

Tip

We highly recommend moving your organization to a password-less strategy. For more information, see Password-less strategy - Windows Security | Microsoft Learn.

Why is the 'Password never expires` attribute a risk?

Having the Password never expires attribute configured poses risks like weakened password security, increased exposure to credential theft, compliance and audit failures, and potential delays in incident response and recovery.

How do I use this security assessment to improve my organizational security posture?

1. Review the recommended action at https://security.microsoft.com/securescore?viewid=actions for Do not expire passwords.

   For example:

   

2. Review the list of exposed entities that have the 'password never expire' attribute.

   • Entities include accounts that were previously authenticated using a password and currently have their password set to 'never expire'.

   • This report targets accounts that regularly authenticate using passwords. Password-less accounts are not listed in this report.

3. Take appropriate action on those entities by removing settings that are not secure.

To achieve the full score, remediate all exposed entities.

Note

While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as Completed.

The reports show the affected entities from the last 30 days. After that time, entities no longer affected will be removed from the exposed entities list.

Next steps

• Learn more about Microsoft Secure Score
• Check out the Defender for Identity forum!