Microsoft says forget your passwords!

Topic

New Reply

ON SECURITY By Susan Bradley In a major push, Microsoft is advocating moving away from passwords and instead using different authentication methods. T
[See the full post at: Microsoft says forget your passwords!]

Susan Bradley Patch Lady

1 user thanked author for this post.

lmacri

Reply | Quote

Replies

NASA is offering the choice of not using passwords to log in, as an alternative to the, until now, required logins with passwords that expire at set intervals and have to be changed before the current one ends. The reasons for “no passwords” have been discussed and explained recently in various places and, if I remember correctly, also in some thread here, at AskWoody: people find this a hassle that gets in the way of what they are paid to do and use lazy password choices that are not secure enough. Or forget their passwords. Or forget to change them in time and get locked out. Or save them in unsafe ways. Or use everywhere the same password. Or data bases with them can be hacked and the passwords stolen. There are other reasons, but I believe these are the main ones.

There might be drawbacks to “no passwords”, so I am studying this new way to log in and, so far, I haven’t found them. Are there any?

(By the way, the login without password there is different from what Susan has described and depends on using both a universal PIN not tied only to an specific device, and a physical means of identification with information unique to the user, information that is very strongly protected anyway because it is needed for many other important things, besides login in to a computer. As anything else, this system can, in principle, be compromised by bad actors, but the idea is to make that a lot harder to do, not totally impossible, with social engineering among other possible work-arounds.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I sign into one of my Win 10/Pro laptops with my MS password. I sign into my other Win10/Pro laptop with the fingerprint button, but if that fails for some reason, it reverts to my signing in with my password (it’s a different password and the machine is on a local account, not my MS account).

The information about PINs is new to me. I think I am PINless. I’ve just assumed that a password is how one logins into a Win10/Pro machine. I wonder if you (or someone else) could provide some background (or a good reference) on how PINs differ from passwords; how one gets a PIN, if desired; if it is possible to sign in with EITHER a PIN or a password; what other alternatives there are for signing in and what the advantages/disadvantages are of signing in that way, etc.

Naturally, I would like the most secure way of signing it, but I also want one that is fail-proof – in other words, I don’t want to get locked out because the new way of signing in doesn’t work, for some reason — for example, the fingerprint laptop will ask me for my password, if the fingerprint doesn’t work.

Reply | Quote

Why a PIN is better than a password

How to Add a PIN to Your Account in Windows 10

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

2 users thanked author for this post.

WCHS, oldfry

Reply | Quote

WCHS: To the above I can reply with full knowledge only about this: in one of two cases I am familiar with, one creates one’s PIN that, as one does this, it is entered and kept, encrypted, in a smart chip in a card that can be scanned or read in a small external card reader, for example while using a computer, to login and also to confirm, by actually typing it, that one is authorized to access the computer, or network, or do email, etc., as well as to unlock the screen that locks after a number of minutes without activity, etc. So what one types as a PIN is checked automatically against the encrypted PIN in the chip. Someone who gets illegal possession of the card has to know also the PIN to type it successfully, and vice versa. That is where something like social engineering might be used to get either the card or the PIN, or both, but the person doing that is risking to expose himself or herself by asking for it, with some made up excuse, to the legitimate user of the card and PIN.

The other way I know is with PIN and Token, where in device about the size and shape of a thumb drive with a small LCD screen a new Token (a random integer number of fixed length) is displayed every minute or so, to be used along with the PIN before the next Token comes up, and these two numbers are entered in succession by typing them. The “thumb-drive” has to be synchronized with the clock in the server of the LAN where one is logging in, so it has to be re-synchronized now and then, because clocks always drift.

https://en.wikipedia.org/wiki/Security_token

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

No card or token is required for a Windows 10 PIN.

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

Reply | Quote

I already got hit with this about a week or so ago by Microsoft when I tried to login. But I use a LOCAL ACCOUNT and seldom need to login to one of my three Microsoft accounts (thank goodness).

I don’t think Microsoft knows much about iPhones as it complains on my phone’s screen (when accessing Microsoft Authenticator) that I need to do a backup as mine is outdated. The phone backs up every day so I don’t know how I could back it up more often!

You have to have Microsoft Authenticator on your phone. I already had it. I have three separate Microsoft accounts and I haven’t been prompted except on one to move to passwordless and I don’t know why.

The glaring problem with this method of authentication is that you might have a sick phone that you have sent for repair. How do you login? I’d rather just use passwords. I have a huge folder that goes back to when I got my first computer in 1999 full of passwords. Luckily, I use desktops, not laptops, and see no need to use the internet when away from home (except on my iPhone maybe to, for instance, notify Target I am present so they can bring my purchases to the car). I avoid using the internet on my iPhone as that is a tiny, cramped screen which is very unpleasant compared to my 24″ wide screen Dell Ultra Sharp monitor.

Plus, I don’t think ANY method when it involves Microsoft is secure. Microsoft now plasters your email address for one of your accounts in HUGE BOLDED BLACK FONT across the top of the page when you click on Settings in Windows 10 20H2 (and I assume this probably happens in Windows 11 also). You cannot get rid of this or change the account Microsoft picked to list there. If you were in a coffee shop your Microsoft account address could be seen by others passing by if you are on the Settings page. This doesn’t happen on earlier versions of Windows 10 just 20H2. I would not have upgraded if I had known about this in advance (even though I use a desktop in the privacy of my home).

Plus, Microsoft is so inept that they plaster a DEAD EMAIL ACCOUNT address across the top of the screen when on the Settings page on Windows 10 20H2. I got rid of the account six months ago but I cannot figure out how to get Microsoft to use one of my other accounts by default (this is one of many reasons why I am completely opposed to this awful trend of using email account addresses for logins instead of passwords and user names). I’ve spent many hours last week trying to get Microsoft to use one of my current email addresses instead of a dead one and I have not been able to get this fixed. To me, it is absurd to use email addresses as authentication and login because I change email addresses fairly often while Microsoft seems to think users NEVER get rid of an email address. The irony here is that Microsoft doesn’t care if the email address it wants to use for authentication even exists currently. They do not check to see if you still have that address and sparse help if you do get rid of it and want to use a different address. Maybe I shouldn’t try to fix it because I don’t want others (if nearby) seeing a real email address that I use plastered across the top of the Settings screen.

Reply | Quote

How does going passwordless on your Microsoft account work with the Windows 10/11 login in case of problems?

In the past, when my Windows 10 machine had a problem, I could boot into one of the safe modes with my Microsoft account and its password. As I recall, at the time logging in with a pin was not yet possible, even if it was my default login method for the normal Windows boot.

Does Windows now offer a way to log in with my pin even in safe mode with command prompt?

Reply | Quote

erbkaiser wrote:

Does Windows now offer a way to log in with my pin even in safe mode with command prompt?

Yes, since the release 16 months ago of version 2004:

Windows Hello PIN sign-in support is added to Safe mode.

What’s new in Windows 10, version 2004 for IT Pros

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

1 user thanked author for this post.

erbkaiser

Reply | Quote

Ms. Bradley,
I’m reading back issues of the newsletters, and I noticed that you mentioned a Lenovo laptop that you own. I thought that Lenovo laptops were made in either china or russia, so I have been reluctant to buy one for that reason. What are you thoughts on my concerns?

Reply | Quote

Most computer technology is built in China.  The apple devices we get for example, are manufactured in China.

I look at the fact that they are certified for use in the international space station. If governments certify them, they go through testing. It’s also the think pad’s reputation.

Susan Bradley Patch Lady

Reply | Quote