Microsoft Says It’s Time to Kill Off the Password

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Microsoft’s solution to the password? You. In what is probably a veiled attempt at drumming up interest for Windows Hello, its facial, fingerprint, and iris-scanning system, the company is touting the superiority of biometrics over strings of typed text for security.

But Windows Hello isn’t infallible, at least on older versions of the OS. Last week, German security firm SYSS discovered they could trick its facial recognition tech using a printed headshot. The other big company pushing the virtues of biometric authentication is, of course, Apple. Despite several examples of its Face ID system being tricked by photos and users' relatives, the system is still expected to arrive in the company’s other devices next year.
 
Yes it is superior.... Until it doesn't work.

It sux hard to get locked out of your precious because you scruffed your fingertips somewhere. And face recognition has been beaten time & again.
 
The main issue is that we have one set of biometric data each. Once that data is acquired by someone who should not have it, we are probably screwed. Multiple types and ways to obscure authentication could help, but in the end it seems like it could be a huge issue.
 
Last edited:
DNA match test is next.

Lol of photographs working - that really sounds secure :D

Voice recognition if you read off of the screen something random? Kinda hard to record something like that but sounds rather time consuming. Maybe a gesture type facial expression you do in real time where you can't use a picture for. A double wink wink.
 
Iris scan. The only way around that is if you rip out my eyeball, or hack my opthamologist.

OTOH, something like an Ubisoft Orifice Shift that can be sat on might also work. Are hemorrhoids unique? Hmmm... an Ubisoft Orifice Shift coupled with a Nosulus Rift could turn out to be a rather interesting experience. New GoFundMe page anyone?
 
Microsofts "solution to a problem that doesn't exist"? Whatever Apple has done and proven is utter crap, then to go "ME TOO"!
 
How about we use biometrics AND passwords. Much more secure.

My android phone does that. :) Finger and password capable. The problem with facial is that there is no heat detector device built in to distinguish if it's just not a picture. Plus they use cheap crap components that don't have enough point references.
 
Seems like the finger print scanner is the best compromise. Photo is just too easy a tool to bypass.

I know these guys just want image to work cause you can just look at the screen, but unless they can make a system that cant be tricked by a photo . Its useless
 
How about we never use biometrics!
Short cutting security is a terrible idea.
Especially when you have to give such sensitive data to companies like MS who could disseminate it anywhere and you would never know.

When I create a password it doesnt pass on any information about me at all, and as pointed out you can change it without needing a major operation and a screwed up life.
Biometrics is a disaster waiting to happen.
 
Seems like trying to reinvent the wheel to me. The password has work pretty much just fine for several decades. The only problem with passwords these days is sites requiring some weird combinations of symbols, letters and geometric shapes that ensure that not only will you not remember it but it'll be completely different from the other sites that require similar stupid password configurations. I wish they'd just go back to letting me use the password I want to.
 
Seems like trying to reinvent the wheel to me. The password has work pretty much just fine for several decades. The only problem with passwords these days is sites requiring some weird combinations of symbols, letters and geometric shapes that ensure that not only will you not remember it but it'll be completely different from the other sites that require similar stupid password configurations. I wish they'd just go back to letting me use the password I want to.
Because then idiots will use Password1 and complain when they get "hacked". What's probably the worst I've seen for password requirements is a maximum length. Sure it can't be infinite, but I've seen places with max lengths of 12 characters. TWELVE! My car insurance company does that crap, so not only do I have to remember a password with symbols, numbers, capitals, in it... it can't be longer than 12 digits. Th1sIsMyCarInsuranceP@assword would be way better, and easy to remember but no.

XKCD explained this ages ago, but few people seem to understand it https://xkcd.com/936/
 
Because then idiots will use Password1 and complain when they get "hacked".

I get that because lots of dumbass people will never accept responsibility for their own stupidity like the guys that leave their cars running to warm up in the driveway with the doors unlocked then are shocked when they walk out and it's gone. Still, saddling the rest of us with way over the top password requirements isn't much of an answer either.
 
  • Like
Reactions: Madoc
like this
I don't have a web cam so facial recognition is out.

Plus.. what happens when a family member need to use my computer?

Screw biometrics for my home computer.
 
Personally I won't give up on passwords. I refuse to use any of the biometric because it's weaker than passwords for anyone who uses good passwords. Seriously I think biometrics is the "solution" tech companies are going to use as their bargaining chip against strong encryption regulations. Nothing says we built a backdoor into everyone's phone without compromising the underlying security than all you need to do is print a picture and a 3d plastic mask to get in, or those fingerprints you had on file will unlock with a rubber glove tip, some powder and a piece of scotch tape.
 
I don't have a web cam so facial recognition is out.

Plus.. what happens when a family member need to use my computer?

Screw biometrics for my home computer.

It's not an all or nothing proposition. Technology is often a matter of making things faster and easier. No authentication method is foolproof and while strong passwords have advantages, typing in and constantly changing a strong text password across an array of services isn't ideal at least.
 
I like the 2 factor authorization

Password and then they send you a code via email, text or phone

Ever changing world though .... soon enough something is bound to replace it.

If the alternative is proven more secure and then kill off the password. Won’t break my heart any
 
Microsoft - "Lets keep changing shit that doesn't need changing"....:rolleyes:

Happy New Year!

It is this time of the year where I like many take account of the changes in the world through time. I often think of how different the world is now compared to the world into which my almost 91 old year mother was born. To think that a desktop operating system is somehow more futureproof than the milkman is the type of arrogance that is at the heart of failure and core the failings of Microsoft over the years.
 
You still have to have a password to use Windows Hello regardless, it just means you do not have to type it in every time. The facial recognition part, at least on the phones, never worked well because you had to have the phone practically in your face for it to work. However, the fingerprint reader part, at least on the Idol 4S for Windows, works well. I have not tried it on a desktop or laptop computer though.
 
It's not an all or nothing proposition. Technology is often a matter of making things faster and easier. No authentication method is foolproof and while strong passwords have advantages, typing in and constantly changing a strong text password across an array of services isn't ideal at least.

Yeah but, unfortunately, when the name Microsoft enters into it, suddenly, people get this all or nothing mentality which is completely illogical.
 
You still have to have a password to use Windows Hello regardless, it just means you do not have to type it in every time. The facial recognition part, at least on the phones, never worked well because you had to have the phone practically in your face for it to work. However, the fingerprint reader part, at least on the Idol 4S for Windows, works well. I have not tried it on a desktop or laptop computer though.

We live in a paranoid culture in fear of too many things and often not the right ones. No expert cyberthief is trying to break into one device or single low value target. This stuff is done one scale. And what hacker uses force before the fact? Gee, my data got stolen because I used biometric security measure instead of 23383 character password.
 
Microsoft - "Lets keep changing shit that doesn't need changing"....:rolleyes:

Yeah, how DARE THEY provide another option. But, let me guess, you are one of those guys that think another option is the only option offered by Microsoft, amirite?
 
Yeah, how DARE THEY provide another option. But, let me guess, you are one of those guys that think another option is the only option offered by Microsoft, amirite?

The problem for the types in a place like this is that Microsoft has been forced to do things that are not in alignment with its desktop heritage through a combination of its own failings and the realties of modern computing. And while Microsoft totally failed in smartphones, at least one of its ideas even before the smartphone era in mobile computing has become some what popular, 2-in-1 devices with digital pens.
 
The facial recognization worked great till the creator's update broke it on my alienware
 
The facial recognization worked great till the creator's update broke it on my alienware

Facial recognition can be fooled.

Hell, we used to fool the fingerprint scanner on the the clock machines at one of my jobs using PVA glue - Not too sure if that works on the newer sensors as effectively.
 
Last edited:
Facial recognition can be fooled.

Hell, we used to fool the fingerprint scanner on the tie clock machines at one of my jobs using PVA glue - Not too sure if that works on the newer sensors as effectively.

Yep. Though, the same is true of any type of security. There is no such thing as unbreakable security. Someone skilled with social engineering is going to be able to break any kind of security. Facial recognition? Its not that hard to get a picture of a person. Fingerprint scanner? Even easier to get finger prints, people leave them all over the place. Especially near work areas or in their home. Passwords? Very few people use truly unique, and random, passwords across their accounts. Even people good with password security tend to come up with tricks to help them remember passwords, if they're not using a password manager. That trick means there is a common link between password, which means as soon as someone figures out that link they're able to use it to get into all of their target's accounts. A password manager with good, two-step, verification is only slightly more secure depending on what the 2nd step of that is linked to.

Of course, none of that really matters for the average person. Unless you have a crazy stalker or something extremely valuable, you are highly unlikely to be targeted if you keep up good security practices. Its a lot more profitable for most criminals to go after easy targets vs people that would take a lot of time and effort.
 
Yep. Though, the same is true of any type of security. There is no such thing as unbreakable security. Someone skilled with social engineering is going to be able to break any kind of security. Facial recognition? Its not that hard to get a picture of a person. Fingerprint scanner? Even easier to get finger prints, people leave them all over the place. Especially near work areas or in their home. Passwords? Very few people use truly unique, and random, passwords across their accounts. Even people good with password security tend to come up with tricks to help them remember passwords, if they're not using a password manager. That trick means there is a common link between password, which means as soon as someone figures out that link they're able to use it to get into all of their target's accounts. A password manager with good, two-step, verification is only slightly more secure depending on what the 2nd step of that is linked to.

Of course, none of that really matters for the average person. Unless you have a crazy stalker or something extremely valuable, you are highly unlikely to be targeted if you keep up good security practices. Its a lot more profitable for most criminals to go after easy targets vs people that would take a lot of time and effort.

Two factor authentication using apps as opposed to SMS from reputable sources is pretty good. The fingerprint thing was piss easy to crack when I stumbled upon the idea one day out of curiosity.
 
Yes it is superior.... Until it doesn't work.

It sux hard to get locked out of your precious because you scruffed your fingertips somewhere. And face recognition has been beaten time & again.

Any form of biometrics is a really bad idea to begin with. The idea that you store on any platform your biometric data which is prone to abuse (look at all the companies installing laptops with backdoors (Consumer service is the PC term for it?)) or devices you do not have "root" on on an operating system you did not install from scratch

Is a recipe for disaster ....

Even if you have full confidence in your device and the security still would not put any stored biometric data on it.
 
Any form of biometrics is a really bad idea to begin with. The idea that you store on any platform your biometric data which is prone to abuse (look at all the companies installing laptops with backdoors (Consumer service is the PC term for it?)) or devices you do not have "root" on on an operating system you did not install from scratch

Is a recipe for disaster ....

Even if you have full confidence in your device and the security still would not put any stored biometric data on it.
I totally agree!

Firmware, software, drivers, OS's, even AV solutions have all been shown to be compromised in recent years. Idiotic exploits, back doors, and improperly tested 'new features' have also proven to provide more ways for unauthorized access. Even if we ignore the fallibility of most consumer grade bio-metrics the likelihood of this information getting misused is in the extreme currently.
 
The main reason passwords suck is so many sites use them as the ONLY barrier to entry since they require the use of a publicly known email address as the account name. If the bad folk have to guess an account name AND match it to a valid password, their task become much harder.

One bid advantage passwords have is your either type it 100% correct or not. There is no 98% correct.
Most biometric schemes have to allow a fudge factor since most biometric things can change some from when the base line sample was taken. Which is why a kid's face can unlock mom's Apple account. Or your thumbprint doesn't work for days after you burn your thumb.
 
It's all about contexts and what's on your threat model. No one solution works for every situation, so I wish they'd stop pushing that philosophy.
 
Back
Top