Microsoft Goes Passive on Passwords
Microsoft recently announced it will not enforce password policies that require you to change your Windows password periodically. One reason is that most passwords and password changes are pathetic. Microsoft’s Windows Hello can eliminate some password requirements now, and it will eliminate more as website owners and developers catch on. Right now, it’s available for Windows 10 Home and Business users.
Windows Hello logs you into your Windows devices three times faster than a password, using your camera to recognize your face or a fingerprint reader. Just to put you at ease from the start, you can always keep your PIN as a backup.
Windows Hello addresses our biggest concerns with passwords:
- Because strong passwords can be difficult to remember, many of us reuse passwords on multiple websites. If your password is hacked and works on one site, you can bet that cybercriminals will use it on every site they know you visit.
- Server breaches can expose symmetric network credentials, which is a technical term for passwords.
- Passwords are subject to replay attacks, which happen when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Consequences can include redundant orders of an item.
- Users can inadvertently expose their passwords due to phishing attacks.
We’ve cited all of them in one way or another when discussing the need to be extremely careful about what you click on a website or in an email.
Right now, Windows Hello lets you authenticate access to:
- A Microsoft account
- An Active Directory account
- A Microsoft Azure Active Directory (Azure AD) account
- Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication, which is now an official web standard for making the web more secure – and usable – for users around the world
The last item in that list will be the key to implementing better security for everyone who has a presence on the internet. Even though we have a way to go before it’s fully implemented, Hello can give you a head start.
After an initial two-step verification during enrollment, Hello is set up on your device. Windows asks you to set a gesture, which can be a biometric, such as a fingerprint, or a PIN, which Windows uses through Hello to authenticate users. It works across all Windows 10 devices. Individuals can create a six-digit PIN or a biometric on their personal devices. Unlike the business application, it is not backed by a public/private key or certificate-based authentication, but it’s still more secure than passwords.
PINs provide better security because you still need the device to access websites – or ATMs. Someone may know your number, but unless they have your device or ATM card, they can’t get access.
For businesses, we’ll help you set up Hello for your organization, including setting policies to help you manage access to computers and mobile devices. This will eliminate the practice of employees in an office putting their passwords on sticky notes that they attach to monitors. (Did you ever stop to think that anyone in your cleaning service can empty your data files as easily as they empty your trash cans?)
In our opinion, Hello is the most compelling reason to update your Windows 10 operating system or upgrade from Windows 7 to Windows 10. Again, we can’t over-emphasize that Microsoft will discontinue its technical support for Windows 7 in February 2020, and that will leave security holes in an already out-of-date, obsolete OS.
Windows 10 will step you up to the next level of security and protection and put you on track to take advantage of advances as they happen. Technology changes fast, and security improvements are always significant. Call us – 973-433-6676 – or email us to talk about upgrading to Windows 10 or adding Hello to your personal or business systems.