Microsoft Wants to Kill Passwords, Starting with Windows 10

each person's DNA is unique to that person. What we need is a small device made by Microsoft and each time a password code is needed we just spit at the device

I'll do ya one better. A device you strap to your arm that will only activate if the devices stored DNA profile matches the profile of the person it is strapped to.

Then when a request comes through, it just verifies the DNA by doing a skin-prick or whatever and then automagically approving the request.

Sure your arm may look like you are a junkie after a while, but it is more convenient than making up and remembering a long, easy for you to remember password and then having to type it in all the time.

Who cares if you have blood dripping off of your arm all the time... you can just like it off and get the nutrients back, right?
 
...

But they'd easily guess [^WdGxh&7wcm!kQ286r+ ???

That one would be rather more difficult to remember with very little improvement in security, which I guess was the point of the post you quoted.
 
And how do you sign in if this is enabled but you have no internet connection for some reason?
 
This sounds like you would need to buy extra hardware to use your computer. Also a hidden form of identification. My bank has a nifty device which allows coloured QR codes to be read in combination with "scanner" it allows the bank card to generate codes for signing in signing transfer/payment orders.

No passwords beside the pin number are needed. The scanner can also be used from other devices with a camera and the application that will generate codes.
youtube below in Dutch but just disable the sound :)
Rabobank scanner

That is the best form of authentication I have seen where you need no passwords yet.
 
Why aren't you using the MS authentication app. You just click "approve" and you don't even have to enter anything.

Google do this with Gsuite when you log in on an unknown PC. They send you a message asking if you approve, you say 'yes' and then they ask you to enter the number displayed on your phone's screen on the unknown client machine (not via SMS). Once this is done the PC is approved for future use until you log out.

It actually works quite well.
 
MS want to kill password by sending you a password?
So we still have a password ?
 
I have MS authentication for the Global admin account of Offie365, a couple months back the MS Authentication service went down for a couple days. I could not log into Office365 to administer it. So, nope, I don't like this one bit.
 
Why aren't you using the MS authentication app. You just click "approve" and you don't even have to enter anything.
Had no idea it existed. I'm trying it out now. Still annoying to require the use of my personal cell phone to access my work email.
 
I use phone 2 Factor a lot for several types of accounts.

My phone packed up a few months ago.

Getting 2 Factor setup and re-authorised for all those systems on a new phone was a real painful process.

"If you want to reset you 2 Factor click here and we'll send a code to your phone!"

"Noooooooooo!!!"
 
It's as if Microsoft hasn't paid attention to all the SMS MFA redirection spoofing crap. Cellular providers can be socially engineered to move a DID (phone number) to a new SIM with very limited proof of identity. Bam, your MFA is now mine...
 
Had no idea it existed. I'm trying it out now. Still annoying to require the use of my personal cell phone to access my work email.

Well at least you aren't having to use an RSA key for that.

If it was set up like that, you would have to:
enter your company domain/username
company password

PIN + RSA key numbers.

And then hope your RSA key is still in sync with the RSA server and the RSA server and company logon server aren't having issues and that the web filter/proxy is actually working.
 
Didn't I just see two factor authentication is not secure either. A PC as a Christmas present insisted on windows setting a PIN after sending a code to the cell phone. I am doubtful, but it seems everyone wants to go this way. Not just MS.

Depends on what you mean be secure. Generally 2FA is more secure than a password.

Why is a 4-digit PIN more secure than a 10+ character complex password?

How in the hell is a PIN not a password? Its just generally numbers and a smaller amount than many passwords. On top of that, it assumes ones cell phone is secure. Insert Bender "you're serious" gif here.

First, there is the misnomer about "complex" password. A complex password isn't really secure, password strength is actually due to length, not complexity.

Second it isn't just a 4 digit PIN, it is part of a 2FA system. Although I am not a fan of that particular system, they would be better off perhaps sending you a token, but tokens can be lost. A better method would be to combine the token PIN with a passphrase. The reason MS likely hasn't done this is the majority of their customers are lazy and would likely balk at it.

Just don't kiss anyone goodbye before trying to sign in.

Seems like a lot of the alternatives to passwords involve extra steps that can go wrong. Instead try NOT forcing an email address as your account name? An account name of say AmberHorseKicksCat and a password of DeadBatterySucksBigtime will take a brute force approach a long time to crack.

When many database breeches provide lists of valid email addresses, it becomes fairly trivial to use that list matched with the top 10 list of passwords against sites that mandate account name = email address.

The account name is trivial, almost anyone can get that, it is sent in the clear. Having a different account name, longer account name, etc isn't really providing that much more security. The reason longer passwords are harder to crack is it requires far more permutations of a cracker to find the appropriate matched hash.

The reason the 2FA system is generally more secure than a password, is it works differently and you can't just brute force it. By the time you brute force the PIN, the PIN is different because it is only valid for a short period of time.
 
It's as if Microsoft hasn't paid attention to all the SMS MFA redirection spoofing crap. Cellular providers can be socially engineered to move a DID (phone number) to a new SIM with very limited proof of identity. Bam, your MFA is now mine...

And how many people does this actually happen to? It is far easier to crack a password and have perpetual access to a machine these days than to try and spoof SMS.
 
Well at least you aren't having to use an RSA key for that.

If it was set up like that, you would have to:
enter your company domain/username
company password

PIN + RSA key numbers.

And then hope your RSA key is still in sync with the RSA server and the RSA server and company logon server aren't having issues and that the web filter/proxy is actually working.
I don't have a problem with the added security. What I have a problem with is the expectation to use a personal paid for service and asset to access a business related resource.
 
Well at least you aren't having to use an RSA key for that.

If it was set up like that, you would have to:
enter your company domain/username
company password

PIN + RSA key numbers.

And then hope your RSA key is still in sync with the RSA server and the RSA server and company logon server aren't having issues and that the web filter/proxy is actually working.

When I worked on the helldesk for Kodak, the majority of our morning calls were about this. It didn't help that it was people in Vancouver trying to use PC/Anywhere over a 28.8k modem and the keylife was 60s. :facepalm:
 
never type a password, just a pin.... a 4-digit not-password......

I love how hard microsoft pushes using a PIN. Its literally the simplest password to crack. Not to mention that a majority of people who use Windows 10 will use something like 1234 since they are being forced to use it.
 
Depends on what you mean be secure. Generally 2FA is more secure than a password.





First, there is the misnomer about "complex" password. A complex password isn't really secure, password strength is actually due to length, not complexity.
It's actually both. password strength is provided by length and complexity, if you define complexity as randomness. The more random, and the more characters used, (length) the more secure the password is. (Of course, if that password isn't STORED properly, it's a moot point.
 
SO why did you sign up your personal phone for the 2FA, instead of registering your work phone? Since you reference a personal phone that would tend to lead one to believe you have a work phone as well. I gave up on that crap years ago, I hate carrying a whole bunch of different devices around. I could have a work phone, and carry two phones everywhere I go, or I can get compensated for using my personal phone and carry just one phone around.

What's REALLY annoying are all these web sites that only let you use 8 character or so passwords. THIS is what is insecure. Also ridiculous complexity rules that aren't relaxed for long passwords. Icaneasilyrememberthislongsentence! is a much better password than G00ber123# but fails in most places simply because it is too long, or does not contain a number. DUMB DUMB DUMB. And the good 2FA solutions don;t require you to copy codes from your phone like my health insurance company does. All of our work stuff, I just have to hit the approve button in the app, there are no codes.

Of course, one never knows with Microsoft, I did ones argue with a client who had a group policy set to store passwords in reversible has enabled on their domain controllers. It GP editor it even tells you to NOT do this unless you have some really really good reason (as in - there is none, if you have a piece of software that only works with this set, find another software vendor). They told me the Microsoft consultant (actual MS employee type) who was helping them clean up after a cryptolocker attack told them to set this. These of course are all people who have scored high on all the Microsoft certification tests - and people wonder why I think those tests are utterly worthless.
 
It's actually both. password strength is provided by length and complexity, if you define complexity as randomness. The more random, and the more characters used, (length) the more secure the password is. (Of course, if that password isn't STORED properly, it's a moot point.

Actually no it isn't. Complexity barely even comes into the picture with today's brute force algorithms, it literally is based on length as the primary factor. Complexity only helps with humans trying to decipher your password, and that is really a non-issue.

For reference.
 
I don't own a cell phone number I don't mind using Windows hello or something else. Just waste my life on the support call to Redmond.
 
It doesn't matter. If you have sensitive info, SMS MFA is _NOT_ a reliable security mechanism. You're completely missing the point of how fucking easy it is to defeat this mechanism that is meant to massively increased security, but it doesn't.

And how many people does this actually happen to? It is far easier to crack a password and have perpetual access to a machine these days than to try and spoof SMS.
 
I use phone 2 Factor a lot for several types of accounts.

My phone packed up a few months ago.

Getting 2 Factor setup and re-authorised for all those systems on a new phone was a real painful process.

"If you want to reset you 2 Factor click here and we'll send a code to your phone!"

"Noooooooooo!!!"
Ideally (not normally), n-factor auth is excellent, but most providers are using it as a way to mine personal data. i.e. In order to recover from a broken auth source, you must provide identity proof -- yet another channel. Rather than provide the ability to manage multiple keys from multiple sources for the purpose of revocation or recovery, most auth providers limit the feature set, call the process "2-factor", and then drill you for personal details as a third (backup). They don't need the personal details, but they can sure "use" them. Ultimately, it's a way to restrict a valuable technology for the purpose of monetization.

Identity and authentication management should be a codified right, but apparently we're stuck in the 20th century forever.
 
It doesn't matter. If you have sensitive info, SMS MFA is _NOT_ a reliable security mechanism. You're completely missing the point of how fucking easy it is to defeat this mechanism that is meant to massively increased security, but it doesn't.

Did you actually read the blog that MS put out? The methods they listed there are magnitudes better than passwords and aren't using SMS MFA. In fact I saw zero mentions of SMS MFA in the blog at all. It talked about Hello which uses facial recognition and bluetooth for proximity detection. They talked about the MS Authenticator app, which uses fingerprint or code that is sent through the app, not SMS. They also talked about FIDO2 offerings which includes devices like Yubikey.

And yet again, the SMS problem you say is so "fucking easy" is not that prevalent. You know how easy it is to steal CC information? You know how easy it is for people to steal your bank credentials? Do you know how easy it is for someone to pick your lock at your house? All of these are risks we take all the time.

Also, having some shitty MFA is still better than only having a password. But again, this blog post and the MS direction has nothing to do with SMS verification.
 
Did you read the actual hardocp post which says "which allows users to sign in using their phone and --->>>texted codes<<<--- instead of a traditional passphrase"?

It's also in the SECOND SENTENCE IN THE ARTICLE "Microsoft will just text a code to your phone number when you sign in"

Did you actually read the blog that MS put out? The methods they listed there are magnitudes better than passwords and aren't using SMS MFA. In fact I saw zero mentions of SMS MFA in the blog at all. It talked about Hello which uses facial recognition and bluetooth for proximity detection. They talked about the MS Authenticator app, which uses fingerprint or code that is sent through the app, not SMS. They also talked about FIDO2 offerings which includes devices like Yubikey.

And yet again, the SMS problem you say is so "fucking easy" is not that prevalent. You know how easy it is to steal CC information? You know how easy it is for people to steal your bank credentials? Do you know how easy it is for someone to pick your lock at your house? All of these are risks we take all the time.

Also, having some shitty MFA is still better than only having a password. But again, this blog post and the MS direction has nothing to do with SMS verification.
 
Actually no it isn't. Complexity barely even comes into the picture with today's brute force algorithms, it literally is based on length as the primary factor. Complexity only helps with humans trying to decipher your password, and that is really a non-issue.

For reference.


Wait, what?? ......No dear, this works even against massive online cracking arrays...

Straight from your own link: "I can't stress enough the importance of having length paired with complexity." --Which is what I said.
 
Last edited:
Straight from your own link: "I can't stress enough the importance of having length paired with complexity." --Which is what I said.

But straight from my own link, length is what matters most, and complexity is a distant second. Which is straight from the data tables in the link as well. It has also been a highly researched area and all the research points to length being the major factor with complexity barely weighing in. In fact the only real complexity needed is not having dictionary words.
 
Did you actually read the blog that MS put out? The methods they listed there are magnitudes better than passwords and aren't using SMS MFA. In fact I saw zero mentions of SMS MFA in the blog at all. It talked about Hello which uses facial recognition and bluetooth for proximity detection. They talked about the MS Authenticator app, which uses fingerprint or code that is sent through the app, not SMS. They also talked about FIDO2 offerings which includes devices like Yubikey.

And yet again, the SMS problem you say is so "fucking easy" is not that prevalent. THIS IS INCORRECT, THE SMS SPOOFING IS BECOMING MORE PREVALENT NOW BUT DATA IS STILL LACKING BECAUSE THE OLD S7 PROTOCOL IS NOT OPEN SOURCE SO NO ONE HAS REVERSED ENGINEERED IT FULLY. WHAT HAS BEEN LOOKED AT BY SECURITY PROFESSIONALS (PARTICULARLY KAARSON KNOLL FROM GERMANY) WAS THAT HE WAS ABLE TO CRACK THE 1ST AND 2ND GENERATION S7 PROTOCOL. THAT PROTOCOL IS OLD AND NEEDS UPDATING. You know how easy it is to steal CC information? You know how easy it is for people to steal your bank credentials? Do you know how easy it is for someone to pick your lock at your house? All of these are risks we take all the time.

Also, having some shitty MFA is still better than only having a password. <-- THIS IS CORRECT But again, this blog post and the MS direction has nothing to do with SMS verification.
 
Did you read the actual hardocp post which says "which allows users to sign in using their phone and --->>>texted codes<<<--- instead of a traditional passphrase"?

It's also in the SECOND SENTENCE IN THE ARTICLE "Microsoft will just text a code to your phone number when you sign in"

Actually I read the blog post by Microsoft, and the blog post mentioned a number of solutions now and where they are going and none of them mentioned using SMS. The link you are showing is not from Microsoft, but links the Microsoft blog post, which again, did not mention SMS at all. And if you read it more closely you will see the texted code is a one time thing. In addition, you don't even have to use that method, that is just one easy way to get it setup. The list many different ways you can use Hello or set it up. But sure, seems like an apt think to get all bent out of shape over. :rolleyes:
 
First, there is the misnomer about "complex" password. A complex password isn't really secure, password strength is actually due to length, not complexity.

Second it isn't just a 4 digit PIN, it is part of a 2FA system. Although I am not a fan of that particular system, they would be better off perhaps sending you a token, but tokens can be lost. A better method would be to combine the token PIN with a passphrase. The reason MS likely hasn't done this is the majority of their customers are lazy and would likely balk at it.

The way I am reading it is that you only have to do the 2FA thing once, and then afterwards it's just a PIN/fingerprint/whatever. So I'm not really sure how secure it is, ultimately.
 

So the non-prevalent problem is prevalent although it's not really quite prevalent yet...okay...
 
The way I am reading it is that you only have to do the 2FA thing once, and then afterwards it's just a PIN/fingerprint/whatever. So I'm not really sure how secure it is, ultimately.

That isn't how it works. The one method they list in that article (which isn't the only way as mentioned in the blog post) is that you setup Windows Hello using a code that is texted to you. After that, you setup Hello to use fingerprint or facial recognition or PIN in order to log into Windows. The reason for the phone is that most phones come with fingerprint scanners and cameras that can do facial recognition. Otherwise, you could use the fingerprint or facial recognition cameras on your computer instead.
 
But straight from my own link, length is what matters most, and complexity is a distant second. Which is straight from the data tables in the link as well. It has also been a highly researched area and all the research points to length being the major factor with complexity barely weighing in. In fact the only real complexity needed is not having dictionary words.

That's NOT what your own guy says in the article; it's BOTH, THAT's what security professionals like Dr. Matthew Green from Johns Hopkins says, Bruce, Schneier says, Steve Gibson says, etc. Length is NOT more important, Length PAIRED with complexity is what makes it MORE secure, NOT length alone. This is math, you can't just say one is more important and the other one is a "DISTANT SECOND" That's NOT what the math says.
 
This is scary, I don't have a cell phone. Anyway, giving someone your cellphone number is also easy way how to find your home address.

If I know your name, chances are I can pretty easily find your home address regardless. I don't need your cell phone number for that.
 
Instead of trying to kill off the password, microsoft should work towards passwords that are made up of a bunch of random words.

No one is going to guess my password is GoldTurnHorseAnvil

Is your password GoldAnvilHorseTurn?
 
So the non-prevalent problem is prevalent although it's not really quite prevalent yet...okay...

Yes, let me clarify; It's MORE prevalent now than it was in the past because more bad actors are now turning their attention to taking advantage of the now known ways of subverting the s7 protocol, but not as much REPORTING on it has been done, probably because no one likes to admit to being compromised, and obviously hackers and Nation States aren't going to own up to it. (and as an aside, if you don't think Nations States haven't been doing this for a long time you're kidding yourself) - but hackers other than governments are now slowly going to be taking advantage of the SMS 2FA, why? Because it's not as secure anymore as the OTR TBOTP apps like Google's authenticator. This is why the security community has already warned against, and has depricated the use of SMS as a robust method of 2FA over time-based apps, because SMS is still going over a network, and can be intercepted. OTP doesn't. As you've said above, is SMS better than nothing? Yes. Is Microsoft doing a disservice by offering SMS over the token based OTP? I believe they are yes.

HardOCP did the right thing by offering OTR OTP apps as a second factor. (Thank you Kyle for resetting my account when I also lost access to my app when switching phones) You don't see many online forums doing that
 
That's NOT what your own guy says in the article; it's BOTH, THAT's what security professionals like Dr. Matthew Green from Johns Hopkins says, Bruce, Schneier says, Steve Gibson says, etc. Length is NOT more important, Length PAIRED with complexity is what makes it MORE secure, NOT length alone. This is math, you can't just say one is more important and the other one is a "DISTANT SECOND" That's NOT what the math says.

First, what do you mean by my own guy? I don't know the guy.

But as to your other point, straight quote:

"The longer you can make your passphrase while still adding some complexity, the better." Some complexity. I didn't say length alone, I said length was the predominate factor that affects it and is the most important factor by far. For yet another article explaining reasons why, go here. If you want to, I could go on all day listing links, articles, research, etc explaining why length is the most important factor. Basically it just comes down to math. In any case, it doesn't matter as passwords are still the less secure method for accessing systems compare to 2FA.
 
Back
Top