Microsoft announced this week that the company is moving away from passwords. This move may seem sudden, but I was part of a study IBM did back in the 1980s where it was determined that passwords were a significant security exposure and should be eliminated. And here we are nearly four decades later, and finally, a major vendor is getting rid of the damn things.
Let’s talk about Microsoft dumping passwords – and hoping that Microsoft finally starts a trend that everyone else will follow.
Passwords Suck
I’m an ex-Internal Auditor, and even back in the late 80s, when I had that job, passwords were a joke. People would either use super easy-to-discover passwords like “password” or “12345”, or they would use a complex password they couldn’t remember and place it on a sticky on their monitor or a piece of paper in their unlocked desk.
I once audited a CEO who often bragged that my division didn’t understand security but he did, only to find his passwords and the keys to his secure document safe in unlocked desk drawers. This discovery showcased that even senior people who think they have security under control can accidentally put convenience first while putting their company at risk.
2-Factor: The Last Line of Defense
Like most prudent people, I’ve enabled dual-factor authentication on every critical service, and I get nearly monthly alerts that some password or ID I have has shown up on the Dark Web. I use Microsoft’s Chromium Edge browser, and they’ve implemented a feature that flags when a site password has been compromised, and pretty much every password I’ve got has been. Thank heavens for that second factor because that is what is keeping me safe at the moment.
I can’t begin to imagine how many people, particularly older executives, still have horrid passwords and password practices, and given Internal Audit has been defunded in an impressive number of companies, the first clue that IT will get that these executives have been compromised is when the firm has been breached.
Why Eliminate Passwords?
With dual-factor authentication, why should you eliminate passwords? Mainly for two reasons: people reuse them, and not all applications yet require dual-factor authentication. So the password could still be captured on one app that is protected and is used on another that isn’t. In addition, an ID and password can be used to trick support into providing access.
A few years back, a guy wanting my gamer tag called into Microsoft Support and convinced them that he was me with just information he’d pulled off the web. It took me something like six months and a lot of escalations to get that tag returned. If authenticating information can be compromised, it shouldn’t be used at all for authentication.
I’ll miss passwords because they made easy examples of stupid security policies
Given that we know passwords aren’t secure, we should stop using them entirely and get people out of the habit because then we won’t be stuck with a security process that we know is initially insecure. It would be like having a door with two locks, one that was secure and one that wasn’t. The insecure lock doesn’t make you more secure, and there is a risk you might forget and only use the wrong lock. Remove that risk.
Farewell, Cautionary Tales of Stupidity
To a certain extent, I’ll miss passwords because they made easy examples of stupid security policies. I still see reports that companies have been breached due to poor password controls. And all password controls, given that passwords themselves are insecure, are poor. However, because IDs and passwords are required for most apps, it has been virtually impossible to get rid of them. We needed a significant vendor to step up, but until now, no major vendor wanted to take on that role because of how convenient passwords are and the pervasiveness of the practice.
This week, Microsoft did step up, and using tools like their Microsoft Authenticator, set a precedent that may eventually result in the elimination of passwords. While I still have doubts about whether this elimination will happen across all applications in my lifetime, I now hope that before a breach takes out a country, we can finally get rid of the stupidest long-term security practice in the market: passwords.
Further reading: Colonial Pipeline Lessons: Ransomware (and Security) Steps Everyone Should Take