@dredmorbius@toot.cat@kyle@librem.one If I'm synopsizing this correctly: Microsoft bad because Microsoft encoded password-rotation recommendations into default AD policy.
That's ... a stretch.
And I'm no fan of Microsoft.
1) Password rotation recommendations go back a long way, and were considered best practices for decades. I remember them from the 1990s, and well before AD was a A Thing. AFAIU a some point they were recommended through entities such as NIST.
1/
@dredmorbius@kyle@librem.one
2) Enshrining recommendations in code is what we want, usually, as it is the best way to achieve conformance. Enshrining bad or outdated recommendations in code ... is where problems start.
The AD situation seems the latter.
The larger problem seems to be that AD has acheived longevity, and there's no good way to propagate new policy recommendations to existing systems.
2/
@dredmorbius@kyle@librem.one NB: I checkecd my old copy of PUIS (Garfinkel & Spafford), 2nd edition, published in 1996. That says a fair bit on passwords, and discusses forced changes (a systems administrator option), though not timed expiry. It does discuss a whole bunch of distressingly familiar issues on the use of passwords which were already well-known problems ... twenty-five years ago.
Evi Nemeth (RIP) in the UNIX System Administration Handbook 2nd ed, (1995) has a discussion of password aging (automated timed-out passwords) on pages 95 & 544. She's not a fan, but the capabilitiy exists and is noted on Solaris, Irix, and BSDI. She does recommend rotating the root password regularly.
But again: Microsoft isn't the source of the problem here.
(As of 1995, Microsoft systems were all single-user and had ... precisely NO passwords....)
3/