In a recent blog Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

A long time coming

At first glance this looks like a great idea and many user will sigh in relief and wait in hope for the next tech giant to take this step. All those that were in favor of this change must have thought: What took them so long?

In 2019 Bret Arsenault, Microsoft’s security chief, explained why the company was eliminating passwords. And in 2020 Microsoft started to enable alternatives for many of its products, like Yubico, HID Crescendo, TrustKey, and AuthenTrend.

All these alternatives are a lot more secure and harder to compromise and we have been advocating them as a second factor in login procedures for ages.

Why get rid of passwords?

Microsoft gives two reasons for this move:

  • Nobody likes passwords, (which I can guarantee is not true).
  • They are a prime target for attacks.

One of the reasons that nobody likes passwords is that the password situation has also been made worse by ridiculous and unnecessary rules, such as asking users to pick passwords that follow formulas, or forcing users to change their password every few months. Both have been discredited but continue to haunt us. Formulas reduce the number of possible passwords a user can pick from, and regular password resets encourage users to pick passwords that conform to a predictable pattern, both of which can make guessing passwords easier, which is the opposite of what we want.

I will agree with the fact that passwords can be guessed makes them a target. But the reasoning here is a bit crooked in my opinion. If the thieves are after my jewellery, sure I can sell them at the  nearest pawn shop. But is that not just shifting their attention elsewhere? Now I have money, and that’s a target too.

Shifting from passwords to biometrics has this same problem many times over. If I swap my password for my fingerprints, my fingerprints become a target. Can I replace my fingerprints if I lose them? What ways will criminals think of to steal them? And what happens when they have them? Talk about re-using the same credentials everywhere…

Expert opinion from Per Thorsheim

Malwarebytes Labs was somewhat divided in our opinions about this news, so we decided to reach out to one of the world’s leading experts on passwords. Per Thorsheim, who tweeted some major concerns about this Microsoft initiative.

Malwarebytes Labs: Per, thank you for your time, can you tell our readers a bit about yourself and how you got so interested in passwords?

Per Thorsheim: I’m Per Thorsheim, and I am the founder and main organizer of PasswordsCon, the first and only global conference dedicated to passwords and digital authentication. By day I work with security for BankID, the digital ID/authentication/signature solution in Norway, operated by vipps.no. My rather obsessive interest into passwords came about when I was working as a penetration tester for PWC, and somewhere pre-Y2K managed to get Domain Admin in less then a day of a Fortune 500 company due to an employee using “Password” as his password.

In december 2010 I ran PasswordsCon for the first time, by invitation from the university here in Bergen, on the west coast of Norway, where I live. (See passwordscon.org for more info.)

Malwarebytes Labs: Is it correct to assume that your major concern is what happens when people lose access to their account for some reason? And would the same objections not also apply if they used one of Microsoft’s passwordless options as a second factor of authentication?

Per Thorsheim: Yes, at the time of writing that is my main concern. Or not exactly, better rephrase that as “when people lose access to their choice of authenticator, and by that lose access to their Microsoft account”. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers. As a result I’ve seen people just resign and create a new account instead. This can in particular be seen with teenagers and their use of social media such as Instagram, TikTok, and Snapchat. It’s just easier to create a new account and tell your friends you have a new username.

Now that Microsoft allows you to actually REMOVE your password and thus your “something you know” factor, are we only left with options that can be easily stolen or abused in close relationships? Does this make those scenarios easier, as an attacker no longer has to guess or obtain a victims password? Are we essentially degrading from passwords to simple 4-6-8 digit PINs?

I don’t have the answers, but I have to say I am impressed by Microsoft taking this bold step forward.

I’m old enough to have seen tons of different solutions that promised better UX and/or better security, with so many failing miserably. I’ve seen corporate integrations of smartcards, a myriad of two-factor solutions, including the infamous RSA SecurID.

During pen-tests and audits I remember seeing admins removing the need for SecurID OTP and setting the PIN to “123456” or similar for CxO levels and members of the board. “Because they said it was too hard to remember bringing that hardware token with them all the time”.

CxO-level executives also sometimes have personal assistants, who administer the majority of the digital lives of the person they work for.  And then there’s the shared accounts to handle, like press, booking or helpdesk. That’s just some of the many challenges corporations face these days where ‘personal’ accounts are not the only types of accounts in existence.

Malwarebytes Labs: What would, in your expert opinion, be a better alternative  for abandoning passwords altogether—one that deals with brute force attacks and phishing for passwords?

Per Thorsheim: I honestly do not believe there is a solution available for abandoning passwords. There is no risk analysis justifying their removal, neither is there a cost/benefit analysis.

On the other hand, there are tons of business cases supporting attempts to develop and sell solutions to remove, replace or at least hide passwords for users.

Now that Microsoft provides an option to remove your password for free, I wonder what the REAL cost of doing so will be for us all—and for Microsoft. Only time will tell.

I hope this works for you. I can go on for hours on this, but… 🙂

Malwarebytes Labs: Thank you Per, for your precious time and your valuable insights.

While we still have passwords

Time will tell whether this “bold move” from Microsoft will make for an improvement in security or not. We would like to advise users to think it through before taking their first steps towards the password-less future.

Whether you embrace Microsoft’s passwordless features or not, the fact is that you are likely to be using passwords elsewhere for a long time to come. While that’s still true, one of the best things you can do for your password security is use a password manager. Not only do they make it easier to create and remember strong passwords, and to avoid password reuse, they also stop us filling out our credentials on fake (phishing) sites!