The number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019. Fro
[See the full post at: Are you using Windows Hello?]
Susan Bradley Patch Lady/Prudent patcher
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
Home » Forums » Newsletter and Homepage topics » Are you using Windows Hello?
Tags: Patch Lady Posts
The number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019. Fro
[See the full post at: Are you using Windows Hello?]
Susan Bradley Patch Lady/Prudent patcher
I had it try to force me to use a PIN on a fresh install. I had one heck of a time circumventing it.
I found that too. It’s confusing and awkward, and a little maddening, to try to use a password when Windows wants you to use a PIN.
I think that explains why such a high percentage of people use Windows Hello — it’s simply because the PIN, not just fingerprint or face ID, is also part of Hello. FWIW.
Has the safemode lock using Hello PIN been fixed or aknowledged?
We had an instance by @MarcVRML whereby they could not access the system in safemode back in September, who eventually re-installed after hours of attempting access.
Haven’t read anything to report a fix, unless it’s fixed in 20H2..anyone? or is this a one off glitch?
I’ve used a PIN on Windows 8/10 for at least 8 years, and Face for more than the last two years.
A PIN is more secure than a password for a Microsoft Account, as the PIN only applies to one device (i.e. two-factor) and is never transmitted anywhere: Why a PIN is better than a password
The disadvantage of a PIN until this year was that people got so used to entering only four digits that they forgot the password they had originally set up. Which didn’t matter until something went wrong and they had to use Safe Mode, where only a password would work and the PIN was useless. But that issue went away with version 2004 and later as a PIN now works in safe mode too.
84.7% using PIN, Face, Fingerprint or Key does seem quite high, but passwordless must be the future.
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
I followed the link you provided, and they’re using a different definition of “password” and “pin” than I would:
A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like t758A! could be an account password or a complex Hello PIN. It isn’t the structure of a PIN (length, complexity) that makes it better than a password, it’s how it works. (Italic emphasis added)
By my definition, a pin is a four or six digit number without letters or symbols. Anything that contains non-numeric characters is a password.
PINs as such are used for convenience, and they hinge on the idea that they’re used on an “online” basis, so that if one enters the wrong PIN more than a few times, it locks the device and makes it impossible to use the PIN from that point forward, thwarting further brute force attempts (to which a short PIN would easily otherwise fall).
If it’s a device like a phone that only has a PIN, there would be no means to unlock it other than that same pin, so that’s a problem. At the very least, it can limit the rate at which guesses can be accepted, though that could be exploited.
I use strong passwords on each of my PCs, quite long and kind of annoying to enter, but they never get sent anywhere, and only apply to the devices in question also. They’re still passwords (or passphrases, as my LUKS prompt calls them).
Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they’d have to steal your physical device too!
Well, yes, and that’s why I would not want to have an online account (like a MS or Google account) associated with/used as the login for a physical device. Online logins for online stuff, local logins for local stuff.
The “stolen device” threat is precisely the one I had in mind when I set up my passwords on my various PCs. The passwords are utterly useless to anyone who does not have my physical machine, as I do not repeat them for any other use, so there is no online account even remotely associated with the passwords. The passwords are for the local storage and the OS with which they are associated only… any online accounts have their own security stuff that isn’t related to the local account stuff. The password store for my password manager(s) is encrypted by the same means as the rest of the personal data, but there might be another layer on top of that too (just saying, ha!).
I certainly agree with the idea of getting rid of passwords if the definition of a password is something that gets sent through the internet when you’re just trying to log on to your local PC. That’s never been the definition of ‘password’ when I used passwords with Windows from XP through 8.1, but the name by which it is called is no matter. Call it a pin, a password, or a bargsnoogle, if you wish… as long as it’s kept within the domain to which it pertains, it works for me. If additional factors like TPMs or such are used to harden it, all the better, but it’s still the same thing.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)
I have over 2,000 active clients. About 86% of them, do not want a password on their computer. They just want to log in without having to enter password since their computer is in their home. It is hard for me to believe that 84.7 percent use that.
In re the PIN, somewhere along the way this feature presented itself to me. I did some quick research and it seemed sufficiently secure for my needs and situation, so I went ahead and went for it. No regrets.
In re Hello, I tested to see if I could activate it if I wanted to. I determined I could but, upon reflection, decided I am sufficiently content with the PIN scenario.
Thanks for the privilege of joining Ask Woody. I have been a lurker and check your website almost daily. I almost never join any forum, but I like what I see here.
I use a PIN rather than Windows Hello. If I were to choose a biometric, it would be a USB fingerprint scanner.
The reason for all this: more than half the time, my laptop sits closed on my desk while connected to an external monitor, keyboard and mouse. I would have to open the laptop, use Windows Hello to have the internal webcam recognize me, then close it again to have the monitor go back to its higher resolution (the monitor is configured to “echo(?)” or repeat what the built-in display shows, but the monitor provides about double the resolution as the laptop’s display.
I do have an external webcam on the top of the monitor, but have not configured and tried it out yet. It’s somewhat dated and may not have the resolution required to support Windows Hello, and I _suspect_ that if the resolutions for the internal and external cameras don’t match, Hello may not work properly with the external.
//Steve//
I had it try to force me to use a PIN on a fresh install. I had one heck of a time circumventing it.
Ditto. I wouldn’t touch this with a barge pole – especially coming from MS. Everything they put forward these days has a “teenage-esque” (- ok childish/gibberish) use of English. Use plain simple language and I may, just maybe, take notice. Their current approach does not work for me.
When I was forced to set up a PIN, I re-entered my password and later removed the PIN. I sometimes am on the go with my laptop and it contains information that could be used to compromise client networks, so I need security.
There is a password on the three disks and in the BIOS of the laptop. A fingerprint reader is really handy!
I don’t log in with a Microsoft account you could have guessed…
Martin
Yes, I use a PIN, and gladly. I run routinely as a Standard User, and when I need to acknowledge the UAC, it’s much simpler and quicker to just use a PIN instead of typing the password.
Very convenient. I also use a PIN on my smartphone.
Im in that 15% that do not use Hello. We disabled PIN with GPO.
On some computers, we use fingerprint in our company. I also tried login with picture. Nice feature but I abbandoned the picture anyway. Its still the same. Instead of typing, you click the picture. Maybe its usefull with touchscreen devices.
But I never understood how PIN is different from password, I think 4-6 nubers are easier to crack than 10-digit password. Whats the point here? I turned that off immediatelly after I tried for the first time, nothing for me.
I believe that numbers are correct, since we know, that MSFT is pushing hard on its Home users. They just turn this option on and say: This is Windwows Hello, your brand new way to log to your computer 🙂
Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise
HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29
PRUSA i3 MK3S+
But I never understood how PIN is different from password,
Neither did I, but I read up on it from the links in the article. The significant difference is that that PIN is unique to the computer where it is established and is never transmitted to the authenticating server. Authentication is handled via a trust relationship between the computer and the server, with a TPM chip and an actual password getting involved along the way. Thus one has to have the specific computer as well as the PIN itself to gain access. Apparently, biometrics is not required but is (presumably?) a nice add-on.
The PIN in and of itself is no more than a short password – and no more secure. The magic is that the PIN is tied to the specific machine, not to the account being accessed.
So, using a local account and password (the “old” Windows way) is and has always been safer. The “PIN” is only good if you don’t want to type your complex and long Microsoft account password to login, and that’s why it is recommended by Microsoft?
Only recommended to fix a problem Microsoft created then?
This is the exact reason I use a local account and password and will continue to!
Martin
I think 4-6 nubers are easier to crack than 10-digit password
That is true on a system that allows infinite retries, but if you only have 3 goes before being required to enter the full password….
cheers, Paul
I did not remember, that there are only 3 attempts. But you have to remember PIN plus the password, so it does not make sense to me neither. Just my opinion.
And Id like to add, that it depends how the system is designed. In the past, on ATM machines, it was possible to crack the PIN, because attempts were deducted after each attempt. So the hacker tried the number, waited for the ATM response (PIN accepted/rejected), then he stopped the code execution before attempt was deducted.
New approach is:
Deduct attempt immediatelly after PIN is entered. Then the execution break does not mean you have infinite attempts.
Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise
HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29
PRUSA i3 MK3S+
Of course it did, because you are regular user. I was talking about hacking attitude and possibility. They used card with wires attached to the card.
My post was about hackers. This was the way how to do it.
Original Source code (imaginary computer language):
…
Attempts=3
Read(userPIN)
If PIN=userPIN Then Withdraw; //if not equal, break code execution here!
else Attempts=Attempts – 1;
…
Hacker tried PIN without losing a single attempt.
New ATM source code is like:
…
Attempts=3
Read(UserPIN)
Attempts=Attempts – 1
If PIN=userPIN Then Withdraw; //breaking the code here does not do any good for hacker, attempt is already deducted
…
Hope you get my point now. This really happened, Im not joking.
Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise
HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29
PRUSA i3 MK3S+
I googled NIST password practices and it took me directly to the SolarWinds MSP webpage 🙂 so hilarious these days are 🙂 But I found usefull information. For example:
For years, most MSPs have encouraged their customers to put password reset policies in place, requiring employees to change their passwords every few months or so. According to NIST, this should no longer be the case. The organization explains the reset periods have proven more detrimental than constructive. As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords. Password strength should be about quality, not quantity—one excellent password is better than 10 new, mediocre ones.
Yes, that should became standard.
Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise
HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29
PRUSA i3 MK3S+
I will consider using a PIN on Windows if one or more well known security guru reviews the white paper favourably.
Which white paper?
I’m tempted to reply “Exactly”!
Microsoft saying that a PIN is “safer” lacks context (safer than what?) and probably proof. Most Loungers here don’t take what Microsoft says at face value, me included. Microsoft has the burden of proving their say here.
Unfortunately, they make it very difficult to follow best practices at the first login after a fresh installation (hidden local account creation link, PIN, online everything, etc.) so unfortunately most non-IT people fall in the PIN trap. I usually end the OOBE frustrated 🙂
Martin
I’m the only one in my home
You are the only one who is supposed to be in your home.
Burglars are not particularly concerned about being invited in nor whether you give them permission to access your computer. Indeed, they may simply cart it off without even asking. Then they have full and unfettered access to any and everything on it.
The way to prevent the scenario you described — burglar presumably removing your hard drive, connecting it to another computer and accessing it that way — can be eliminated by the use of encryption, if you have Windows 10 Professional.
I was fortunate enough to have an activation key for Windows =7= Pro, and using that to “activate” an already-activated Windows 10 Home system brought it right up to Windows 10 Professional with no problem. Once that process was done, I could encrypt individual files, folders or the entire drive as needed.
Always remember to back up any credentials the system gives you when doing encryption, as there is no way to recover data from it without those credentials (or so I’m told) without those credentials!
//Steve//
Check if you can set up an HDD/SSD password on your disk model(s). Many disks use full-time FDE nowadays, setting a disk password is all you need to protect your data.
Other disks don’t use FDE but setting a password still protects your data from “casual” theft.
Your machine’s TPM can handle (with the BIOS) the disk unlocking at boot. If you have a fingerprint sensor, it becomes even easier! That’s what I use.
Martin
It depends on the HDD/SSD, but the password is stored on the drive and is required to access it.
In my laptop, the spinning rust HDD isn’t FDE so it is just to prevent access, but my Intel and Samsung NVMe SSDs are of the full disk encryption type. Setting a password is optional but the encryption is always active. They use on-the-fly AES-256 IIRC.
The security chain is my fingerprint unlocks the TPM, then the BIOS, then the disks, then boots Windows 10 on the SSDs.
If you forget the disk passwords (user and admin), you need to enter the PSID printed on the label in an erase utility and this will either regenerate the internal FDE encryption key (instantaneous “wipe”) or trigger the HDD full sector erase (much longer but runs in the background until completion even if the power is interrupted). Those details are in the storage device’s full manual.
Note that consumer-level drives don’t always have FDE or access passwords, but business-level drives usually do. There are drives who can be partitioned with different access keys so user “A” can’t see the files of user “B”!
Martin
Setting a password is optional but the encryption is always active
I suspect the disks are not encrypted. No password usually = no encryption.
Even Bitlocker doesn’t use native disk encryption following the poor security practices of the disk manufacturers, it’s all done in software.
Do you have some manufacturer blurb on how the security is done on your machine?
cheers, Paul
I use a PIN on my Windows 10 laptop, ever since I got it in 2016. The hardware does not support Windows Hello, so I do not have it set up. However, Windows 10 will still bug me about setting up a feature that I can’t set up anyway, which annoys me. I can never remember the password I set up (it’s a Microsoft account password, and since it’s crackable on the Internet, I use a very long password that only a password manager could remember).
I don’t use Windows as my daily driver anymore. My MacBook is unlocked using a password and with Touch ID, so there’s that. Although I do use Touch ID with some frequency, I still often key in the password in order to avoid forgetting it (and with the dry winter months upon me, my dry, flaky fingers don’t mix well with the Touch ID sensor).
Both the PIN and the MacBook password are not safeguarding Internet accounts, but just my local device, so they’re easier for me to remember and aren’t ridiculously long like the passwords protecting my Internet-facing accounts. Of course if someone gains physical access to a computer it’s often game over anyways, so first course of action for me is to never allow that to happen. The PIN and password is there as a last resort to stop the less-intelligent hackers from getting in, or random people in my household deciding to try to use my computer without my permission.
Microsoft devices are initially set up by default to use Windows Hello, PIN method, and a Microsoft Cloud Account login. It takes some special magic during setup to prevent this.
I can easily believe over 85% of users, especially Home Users, will not try to fight MS on the defaults of anything in Windows setup. They just want to get online and start streaming or gaming or socializing as fast as they can.
We who use The Lounge often forget how utilitarian the average device setup is. And how little work the vast majority of end users want to do just to maintain and access their devices. “Always on” (Always Listening), permanently logged in, Single Sign On, etc. are right up the alley of most users.
So if PIN uses Windows Hello, I do believe the MS stats.
-- rc primak
Microsoft devices are initially set up by default to use Windows Hello, PIN method, and a Microsoft Cloud Account login. It takes some special magic during setup to prevent this.
Not connecting to the internet before or during OOBE (Out Of the Box Experience, i.e. first login) and choosing to create a local account isn’t really ‘special magic’… no matter how much Microsoft tries to obfuscate it. 🙂
Am I using Windows Hello? No…
Am I using a Windows PIN? No…
Am I using a Windows login password? No…
Am I using a Windows Account? No…
Microsoft devices are initially set up by default to use Windows Hello, PIN method, and a Microsoft Cloud Account login. It takes some special magic during setup to prevent this.
Not connecting to the internet before or during OOBE (Out Of the Box Experience, i.e. first login) and choosing to create a local account isn’t really ‘special magic’… no matter how much Microsoft tries to obfuscate it. 🙂
Am I using Windows Hello? No…
Am I using a Windows PIN? No…
Am I using a Windows login password? No…
Am I using a Windows Account? No…
Ditto
Ditto
Ditto
Ditto
Both you and Rick Corbett (and most of us here in the Lounge) are experienced and have knowledge and interest in controlling your own Windows devices. That is not a description of most (85% or more) of Windows users.
The original post is referring to all Windows users. As (I think) is Microsoft when they cite the 85% figure for Windows Hello use.
I too take the extra steps not to have a MS Cloud login and not to use a PIN or Windows Hello for logins on local accounts. Especially Administrator Accounts. One day I may have to start using my fingers, my face, my eyes and/or my DNA to log in — but not today!
-- rc primak
Not a fan of the PIN or Windows Hello. I think the numbers are not accurate and I hate that MS tries to force the issue.
Users tend to get lazy and they forget their password and the they contact tech support to bail them out. I have had users that have forgotten their PIN.
Also hinders unattended remote support efforts.
I saw the MS article about 85% of Windows users now using Windows Hello and found it hard to believe. When I was forced to create a PIN after a major upgrade to one of my systems, I quickly disabled it after finishing the initial setup. Maybe Microsoft still considers me to be using a PIN since I did set one up once.
I have two Hyper-V systems with Windows Insider builds running on one of my machines. I also have another machine which has Windows 10 installed that I use to install new updates before trying them on my main machine. I only have one keyboard/mouse/display and use Remote Desktop to access the second machine. It would drive me nuts to try to keep track of 4 different PIN values and enter the correct one for the system I am trying to access. I do try to remember to change my Windows account password every few months and it takes me a week or so to stop trying to enter the old password. I do really appreciate it that I can always use my current MS account password on all my systems, no matter how long it has been since I used them.
I can’t see passwords going away in the near future.
I do try to remember to change my Windows account password every few months
Why? All you are doing is making your life harder.
Choose a strong password in the first place and use that forever.
See the NIST guidelines.
cheers, Paul
By default, Windows 10 does not automatically expire user passwords. But a Group Policy or even an MS Update or Feature Update (Upgrade) can set the password expiration feature to “True”. Then it has to be reset to the default “False” value, either through Group Policy or through the Command Prompt.
-- rc primak
or even an MS Update or Feature Update (Upgrade) can set the password expiration feature to “True”.
An update has never set password expiration for anyone.
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
Good god no. MS has messed up enough things in Windows 10 that I don’t confidence in Hello. When they fix all of the update bugs and 20H2 I will think about.
Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2
OS build 19045.3086
That seems high to me, although I do use Windows Hello myself. Once I got spoiled with Face ID on my iPhone and iPad the password/PIN routine on my desktop got old. Fingerprint ID never worked for me because my fingerprints are pretty well worn down. Opening an iPhone with a fingerprint doesn’t work (too much handwashing over the years; the state police couldn’t even read them for a background check). I now use Face ID with Windows Hello using a Logitech BRIO. It’s also a normal HD webcam that I keep covered except while on Zoom calls, and a good mic. I have to say I’m happy with it.
I think the number is bogus because Windows Hello requires biometrics on the machine (https://www.computerworld.com/article/3244347/what-is-windows-hello-microsofts-biometrics-security-system-explained.html).
While such equipment may be common on new laptops, it is not common on tower/desktop PCs out of the box or existing machines, including older laptops, that have been upgraded to Windows 10 (obviously, one can add a camera and/or fingerprint scanner later but changing one’s sign-in method is not a normal user endeavor).
Much of the discussion here conflates using Windows Hello with using a PIN in lieu of a password. They are not the same thing, but I wonder if Microsoft is adding the numbers (actual Hello users and PIN users) to make it sound better than it is.
I think the number is bogus because Windows Hello requires biometrics on the machine
Not entirely true.
Much of the discussion here conflates using Windows Hello with using a PIN in lieu of a password
Using a PIN is indeed part of Windows Hello. It’s called Windows Hello PIN.
as @rc-primak wrote:
I too take the extra steps not to have a MS Cloud login and not to use a PIN or Windows Hello for logins on local accounts. Especially Administrator Accounts.
I know what you mean, one must click on the “I dont have the internet” button.
And most of users wont continue with local account, because Microsoft scares users with next, following sentence (dont know exactly how is it in english installation):
“Continue with limited experience?”
Limited? 🙂 that does not sound too good.
So most of people creates MS account unintendedly. During this christmas I was lucky to try XBox and its account creation, because you cannot play without account (games are stored to your account). We tried to create new account for me.
And it was terrible experience. And time consuming and confusing. And by the way, on XBox, Edge does not allow you to surf the web, until your account is active. There was some error all the time. Could it be for tracking purposes? Maybe, but I lost interest anyway.
My friend also boought a game, so we tried to redeem the code and play the game. There was “automatic subscribption renewal” checked, and it could not be unchecked when activating the game. So we had to enter the credit card cedentials. Microsoft literally forced me to do so in order to play the game. Im glad, that Im not mistaken in windows. XBox confirmed my opinion about Microsoft recently. I know, that I wont buy XBox. Simply that bad experience it was.
I can use fingerprint as login thats cool. But presenting those numbers above from Microsoft, when users have no clue what are they doing is demagogy.
Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise
HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29
PRUSA i3 MK3S+
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.