back to article It's time to delete that hunter2 password from your Microsoft account, says IT giant

From this week, Microsoft won't require you, or your password manager, to come up with strings of letters, numbers, and special characters forming a silly sentence or a reconfiguration of an ex’s name and birthday to access the Windows giant's services. That is to say, you can delete the password from your Microsoft account, …

  1. Potemkine! Silver badge

    What a nice move: It associates your windows installation with a device linked to a physical, nominative person and which tracks user' moves by GPS. Privacy is so 20th century....

    Connecting anything with a phone is such a brilliant idea: loose it, break it or may the phone be stolen, and then you cannot log to your PC anymore.

    1. ShadowSystems


      What if you use a physical UbiKey to authenticate yourself, but then misplace the danged thing 'cuz yer gettin' old 'n forgetful? Like when you turn the house upside down to find your glasses only to scratch your head in confusion & realize they've been sitting atop your skull the entire time. Only the device is much smaller & easier to misplace. You'll spend hours tearing the house apart, finally give up in frustration, go to get some ice out of the freezer to apply to your throbbing forehead and find the fekkin' thing sitting atop the frozen peas. It's almost like MS is *taunting* Loki & chortling "Do yer worst, ChaosBoy!" What could possibly go wrong? Don't bother answering that one, we all know the favorite reply of Murphy is "Here, let me show you!"

      1. jonathan keith

        Re: Exactly...

        If you're using YubiKey, the advice is that you have two keys, and to keep the second in a safe place as a fallback if you lose your principal key.

        1. Mishak Silver badge

          "in a safe place"

          I know someone who tried that. Had the keys for years, lost the one in daily use and couldn't remember where the "safe place" used for the other was...

          1. Anonymous Coward
            Anonymous Coward

            Re: "in a safe place"

            There's no cure for "stupid" ;)

            1. Charles 9

              Re: "in a safe place"

              We better find one, then, before Stupid takes the rest of us with it...

          2. nonpc

            Re: "in a safe place"

            The answer (as always) to that is to buy/make a replacement and when you go to put in a safe place you find that is where your old one is...

          3. Philip Stott

            Re: "in a safe place"

            Sort of been there and done that.

            I use eWallet as a password manager.

            For a couple of years I used it exclusively on my phone (instead of the desktop version which asks for a password every time), unlocking it with my fingerprint.

            After an update it wouldn't let me unlock with a fingerprint and started asking me for the master password again, which I couldn't remember (it's 16 characters of nonsense).

            It took me a couple of weeks of daily bum-clenching horror that I couldn't remember it, thinking of all the grief it would cause, until (well lubricated on a Friday night) the password hint phrase - Embiggen not TizWoz - I'd set finally made sense

          4. jvf

            Re: "in a safe place"

            Had a spare car key tucked under the fender in a magnetic key holder box for “that occasion”. Locked my key in the car one shopping trip, reached under the fender and felt around where the box used to be. It was shocking how quick and easy it was for a helpful onlooker to unlock the door with a coat hangar.

        2. Snake Silver badge

          Re: YubiKey, et al

          These physical security keys are a horrible idea, in terms of 'absolute' security, that is. By existing as a physical object, did you know that the plod can subpoena the device and if you don't relinquish it you are in contempt of court?

          However, a code - PIN, password, etc. - is personal information and cannot be forced from you. You are free to uphold your rights to silence, to no self-incrimination, and keep the information to yourself. The court has no recourse as this right (speaking as an American) is constitutionally guaranteed.

          1. Charles 9

            Re: YubiKey, et al

            But what if your memory is SO horrible that YOU can't recall that stuff? I have to regularly deal with people with such terrible memories that even "correcthorsebatterystaple" turns into "donkeyenginepaperclipwrong".

            What solutions do you propose for those kinds of people, especially those with no one to look after them?

          2. Anonymous Coward
            Anonymous Coward

            Re: YubiKey, et al

            Reminder called for:


            1. Charles 9

              Re: YubiKey, et al

              I've always pictured two ways this could go wrong:

              - The victim is a kinky masochist and actually likes the wrench.

              - The victim is a total wimp who faints at the mere sight of the wrench, meaning they can never keep him awake long enough to disclose.

      2. Arthur the cat Silver badge

        Re: Exactly...

        Like when you turn the house upside down to find your glasses only to scratch your head in confusion & realize they've been sitting atop your skull the entire time.

        I'm confused. Are you me?

        1. Paul Crawford Silver badge

          Re: Exactly...

          Or me. Or are we all Spartacus?

          1. Anonymous Coward
            Anonymous Coward

            Re: Exactly...

            I broke the dam.

      3. Anonymous Coward
        Anonymous Coward

        Re: Exactly...

        Richard Osman said that he had once been hunting high and low for his mobile without success. He then decided it would be a good idea to phone it to reveal it's hiding place, only to discover the phone he was about to use was the phone he had been looking for... it had been in his hand all the time!

        I had a mate who got to work and discovered he had forgotten/mislaid his pager and kept phoning it while his missus searched the house for it. He was later called by the garage, who had been servicing his car, to say they had ripped out the dash trying to track down a strange intermittent beeping

    2. chuBb.

      No less privacy than logging in to whatever service you need in the first place.

      If your really concerned about privacy get proactive, old phone in drawer root it, install a hardened droid os, keep it in flight mode, only connect to trusted WiFi and only install the authenticator app of choice (preferably side loaded and app store is neutered)

      By and large this is a good thing for Corp it (phishing and rat attacks will be less effective), and power users will bother for personal accounts, aunty Doris will still rely on rover1966 for everything and be shocked and horrified that the nice African Prince she's been emailing is in fact a scam

    3. ACZ

      No GPS required

      You don't have to use the MS authenticator app - Authy, Google Authenticator etc all work as well - IETF RFC 6238, I believe. The only permission that Authy has got on my phone is Camera, so no GPS.

    4. Richard Jones 1

      Or Just Work Where No Mobile Service Works

      The reason for not opting in appears above, juggling with my phone is a total pain in the behind and jumping through other hoops is for the birds, not for me, thank you.

    5. bombastic bob Silver badge

      Connecting anything with a phone is such a brilliant idea: loose it, break it or may the phone be stolen, and then you cannot log to your PC anymore.

      With this, when things go wrong, they go REALLY wrong

      (don't forget to let your phone do credit card account purchases also, so that anyone stealing your phone has more access than if they stole your wallet and forged your identity - and let it stick out of your back pocket while you're at it so that you butt-dial and crack the screen sitting on it, and also make it easier to steal)

  2. LenG

    No MS account

    Are we approaching a point where I will have to have a M$ account just to log into my Windoze desktop machine? Time to start migrating my games to linux ... after all, games are the only good reason to have windoze to start with.

    1. chuBb.

      Re: No MS account

      Bad news that happened with the win 10 creators update 2 years ago, have to jump through quite a few hoops on a fresh win 10 install to create a "limited" local account and not use one linked to azure ad...

      1. LenG

        Re: No MS account

        Last time I installed a fresh WIn 10 (pro), last year, it was easy enough to bypass the M$ account restriction by disconnecting from the internet at the right point. When it cannot reach the M$ servers it allows you to continue with a local account and doesn't demand any change after you reconnect.

        1. bombastic bob Silver badge
          Thumb Up

          Re: No MS account

          nice trick. I have not done a 10 install in a while and I always had to find the right stupid buttons to press in the correct order in order to set up the initial account as a local account. Micros~1 really DOES strong-arm you into using their privacy-violating "cloudy" logon.

          I shall remember this trick in the future, next time I need a fresh Win-10-nic VM. Does it work with 11???

          1. Pedantic

            Re: No MS account


        2. Bartholomew

          Re: No MS account

          As much as Microsoft want you to use their online account they still need to support computers with no direct Internet connection (for now).

          1. Ken Hagan Gold badge

            Re: No MS account

            "(for now)"

            Make that "forever" if they want any share whatsover of the market for industrial IT.

    2. Charlie Clark Silver badge

      Re: No MS account

      Already there and beyond. It's no longer possible to set up Outlook manually for an on premise Exchange – I hate Outlook but need to be able to use it to help the users better.

      1. Anonymous Coward
        Anonymous Coward

        Re: No MS account

        run: outlook.exe /manageprofiles

      2. Jakester

        Re: No MS account

        You can setup manually, but you have modify the registry. This started with Office 2016, probably a programming bug, but even if you click the manual setup box, it would still do a simplified setup that almost always is wrong. Her is the link -

    3. MCG

      Re: No MS account

      What's so bothersome about setting up an MS account? You don't have to give any personal info, not even a mobile number. Too much effort?

      1. seven of five

        Re: No MS account

        Its a matter of principle.

      2. Wade Burchette

        Re: No MS account

        It is none of Microsoft's business -- and by extension neither is it extension Google's, Facebook's, et al business -- what my email address is, what my phone number is, where I am at, what websites I browse, or what I do with the software that I paid for.

      3. bombastic bob Silver badge

        Re: No MS account

        youuuuuuuu've read the EULA, haven't you?

      4. trindflo Bronze badge

        Re: No MS account

        For me it is that they want to be my password manager. That feels way too much like I'm being Borged. I want to buy a product from Microsoft and not have them installing themselves as some bawab. What if they decide I've been naughty and shouldn't be allowed in?

  3. Paul Crawford Silver badge

    So this app is on your phone, which many also use to access their services (yes, even though MS stuff sucks on phones even more than Windows desktop...) so other log-in details are probably saved. So if you have the phone you are probably a 4 digit code, partly smudged on the screen already, away from full access to all MS services?

    And if your phone is lost/stolen, how do you authenticate yourself to assign a new one?

    1. Chris G

      The only windows thing that goes through my phone is Outlook and I intend to keep it that way, I also have a minimum of apps and thode I do have only get the permissions that are absolutely necessary.

      What permissions does the authentification app want on your phone as a matter of interest?

      If this is forced on us, it will be yet another reason to jump ship, why should I need to fire up one device in order to fire up another?

      Doesn't sound much like progress to me.

    2. Anonymous Coward
      Anonymous Coward

      "And if your phone is lost/stolen, how do you authenticate yourself to assign a new one?"

      1) Multiple devices, synced (*). This is easy, I've been doing it for years with the right authenticator app. In the case of Microsoft, you just put Authenticator on your iPad or spare phone or whatever as well as your main phone - they all then beep when you try to sign in anywhere.

      2) Recovery codes. Bit of a pain as you need to store them securely somewhere - either on paper in a safe or in an app that securely syncs (*) or is accessible (*) on different devices. User education ('do not panic!') is quite tricky here.

      3) Rely on your IT admin to be able to reset the access on your account for you. Obvs no cop for personal accounts.

      (* avoiding the subject of how secure, or not, syncing devices across the 'cloud' is etc).

      1. Anonymous Coward

        So I've got to buy a spare phone now. And figure out where to keep it where it can never be stolen.

        Or a safe.

        Thanks for nothing.

      2. Paul Crawford Silver badge

        2) Recovery codes. Bit of a pain as you need to store them securely somewhere

        Good idea, we could always call them a password?

        1. bombastic bob Silver badge

          I use KeepassXC to store things _LIKE_ account numbers and recovery codes and things of that nature (in addition to passwords). It has sections for that kind of thing. The kdbx file is kept in my private source control repo and is copied to several machines.

          don't need it on a phone.

  4. Shak

    There and back again

    So after pushing 2FA for yonks, the advice is to go back to a single factor again?

    Or is this just a fancy system generated password in disguise?

    1. Geoff Campbell Silver badge

      Re: There and back again

      No, this is still 2FA. You need the device with the authenticator App installed, plus a biometric confirmation.


      1. Shak

        Re: There and back again

        Both of which are things you have (vs something you know). But maybe there's some reduction I'm missing.

        1. Charles 9

          Re: There and back again

          Thing is, how can you use something you know when your memory is not reliable enough for one to know anything?

  5. Anonymous Coward
    Anonymous Coward

    A pain in the rear end

    We have this on our work phones.

    Notification comes in.

    Unlock work phone with PIN because it is a Samsung and the fingerprint sensor sucks.

    Enter same PIN used to unlock phone.

    So I end up entering the same PIN twice.

    1. Anonymous Coward
      Anonymous Coward

      Re: A pain in the rear end

      You're holding the phone (first factor: the phone)

      Only you can unlock it (second factor: you)

      = Two factor authentication. Both must be present.

      1. Anonymous Coward

        Re: A pain in the rear end

        It's not two factor, since the PIN or whatever is dependent on the phone. One is not independent of the other.

        If the phone - a single thing - gets compromised then you're up shit creak.

    2. tonique

      Re: A pain in the rear end

      At $work, we are required to use a six-number pin so I have to enter that twice. No, you can't use the fingerprint reader.

    3. FrankAlphaXII

      Re: A pain in the rear end

      Yeah, after my Pixel 2 finally died I wound up saddled with a Samsung and the fingerprint sensor really sucks. I cannot wait to get a Pixel 5a or 6 just to not have to deal with this damned thing's sensor that works maybe 1 time out of 15 attempts. It reminds me of the blood vessel geometry scanners on some SCIF doors that always fucked up when I was in the Army. Or the hellspawn that was our USB fingerprint readers we had to use to biometrically authenticate with if for some reason we weren't using our CAC readers (or if, surprise surprise, the damned Smartcard readers or their firmware broke)

      We use PingID where I work now and before I log in I usually have the phone unlocked so I don't have to screw around with the Biometric nonsense since it hardly ever works.

      The more things change and all.

    4. Anonymous Coward
      Anonymous Coward

      Re: A pain in the rear end

      So I end up entering the same PIN twice.

      I guess you're the sort of person who uses the same password everywhere too though, so you've already failed Basic Security.

      Microsoft don't restrict PINs to being just digits, so for my work PC (which switched to using some of this a while ago) my 'PIN' is a 12 character continuation of the password scheme I was using before which is unique to that machine.

      I don't have to authenticate to log into Windows. (Maybe that's something specific our IT have setup, or maybe that's something coming soon.) I (currently) only need to authenticate when I need to access other work-related resources online that are connected to my Windows account, and there the flow is:

      Enter my account password.

      Unlock my phone with a PIN.

      Tap Approve in the authenticator app.

      Confirm (I know, I know) with my fingerprint. (Or a different PIN.)

      If I don't have my phone handy, there's a button in the login panel that (presumably) gives me other options for authentication.

      1. 42656e4d203239 Silver badge

        Re: A pain in the rear end

        >>Microsoft don't restrict PINs to being just digits

        Surely they shouldn't be called a PIN then?

        After all that's Personal Identification Number, isn't it?

        Surely there is a better term for a 12 character collection of glyphs; how about "Personal Identification Code" or even, shock horror, "Personal Authorisation String Sequence With Only Repetition Denied"?

        I am sure others can come up with a better backronym for PASSWORD but thats a start!

        1. Anonymous Coward

          Re: A pain in the rear end

          I think you need to come up with a backronym for PASSWORDANDNUMBERSANDSPECIALCHARACTERS. ;)

          1. Charles 9

            Re: A pain in the rear end

            How about a solution for people with really bad memories. And I mean SO bad that "correct horse battery staple" doesn't work.

  6. Hubert Cumberdale Silver badge

    What stood out to me from this was the idea of logging in to MS Edge. Two questions: (1) There's little enough privacy on the internet as it is, so why would I ever do that? (2) Who actually intentionally uses Edge (as in, you know, anyone who hasn't been tricked into it by MS because they simply don't know any better)?

    1. Anonymous Coward
      Anonymous Coward

      Answer to #2: anyone whose email still ends with "" and thinks the word "Internet" begins with a big, blue "e".

  7. Chris G

    Looks like one of the developers is reading the comments!

  8. pklausner

    Microsoft is dogfooding their own advice on Azure VM...

    become root w/o any authentication whatsoever

    1. Conor_O

      Re: Microsoft is dogfooding their own advice on Azure VM...

      Kevin Beaumont (@GossiTheDog) has been talking a lot about Azure lately and this is just the latest massive clusterfsck in a list (the first being CosmosDB and then AzureScape). His post also noted the irony:

      "The good thing about #OMIGOD, a vulnerability where no password is needed to remotely execute code on Azure VMs, is MS announced it the same day as going passwordless!"

      That animated gif you linked to illustrates the OMIGOD vulnerability nicely. Don't know the password? Ah sure just leave off the Authentication header in the POST request. Root.

      Not to mention the omiagent user that gets created with no password and a shell of /bin/bash. It also has a sudoers file referencing scripts that are editable by omiagent. Root again.

      Kevin's thread:

  9. Mage Silver badge


    The problem isn't passwords, but bad password management.

    1. Charles 9

      Re: Bonkers

      And the problem with password management is people with poor memories.

      Now was that "correcthorsebatterystaple" or "donkeyenginepaperclipwrong"?

  10. Anonymous Coward
    Anonymous Coward

    password and oldies

    Clearly none of these "ideas people" look after old people. Trying to get them to keep passwords unique is hard enough. Expecting them to now have a mobile phone just to use their home PC is a bit bonkers.

    Security has to fit the users. The oldies I look after get physical address books to keep these kinds of details safe in. It means when they are then ill someone else can pick up and look after their accounts. If everything is locked up in a 2FA phone it will cause huge problems when someone has a stroke. (And most oldies I work with don't even have smart phones)

    I had one like this last year. Thank gawd he had put his passwords into a spreadsheet so his wife could fine them and continue to run the house.

    By having password access on a computer you at least have a fall back access to the machine when someone (and their phone) ends up in hospital.

    1. Richard Jones 1

      Re: password and oldies

      In my mid-seventies, I do not consider I'm an oldie, but you earned an up vote for simple common sense. My wife is seriously ill, looking after her and a disabled daughter's affairs is close to a nightmare anyway. There is no need to make my nightmares worse.

    2. Charles 9

      Re: password and oldies

      "Security has to fit the users. The oldies I look after get physical address books to keep these kinds of details safe in. It means when they are then ill someone else can pick up and look after their accounts."

      That also makes them vulnerable to Evil Maid attacks, which tend to happen a lot with the elderly for that very reason. Watch enough crime shows and you'll see that move turn up.

      1. Ken Hagan Gold badge

        Re: password and oldies

        And the evil maid is probably more aware of how to access the phone than the actual user in those cases.

  11. Cuddles

    When is a password not a password?

    "a verification code sent to your cellphone or email inbox"

    So instead of using a password to log into my MS account, I can instead use a password to log into my email account. I'm not clear how this is supposed to be an improvement, or indeed how it is in any way passwordless.

    Even using a phone doesn't appear to help matters. Sure, it effectively forces 2FA. But requiring unlocking a phone and nothing else must always be worse than unlocking the same phone and also requiring a password. And since unlocking a phone still requires a password, it's simply nonsense to claim it's passwordless. In particular, Android phones (don't know about Apple) require a backup password, so even if you normally use your finger or face to unlock it, there's always a standard password waiting in the wings to be compromised.

    So the whole thing seems completely pointless. There are so many holes and backup options in the system that it will be just as vulnerable as ever to compromise, while being strictly worse than just requiring standard 2FA.

  12. TeeCee Gold badge

    I'm sure that all works a treat when you're trying to log into a machine to find out why it can't get a network connection.

    They have thought of that.......right.....?

    1. Pirate Dave Silver badge

      It's Microsoft. so of course they have considered this scenario.

      However, it's never happened in Redmond, so they've decided it will never happen anywhere and have designed accordingly...

  13. Pirate Dave Silver badge


    "In a Twitter poll, 20 per cent of respondents "

    Ah, so MS is basing their design decisions on Twatter polls now? We are well and truly fucked.

    IT is over, time to turn out the lights.

  14. Jim-234

    So another round of blaming users and passwords.

    How about companies stop being cheap asses about security, so criminals don't keep going in the back door and stealing all the customer information (including passwords) right out of their databases?

    It seems there is no actual punishment for lax security policies at big companies that let criminals walk away with entire databases of hundreds of millions of users and all their passwords and details.

    But oh those same users should have to pay more / jump through more hoops because nobody seems to want to pay to keep their servers properly secure?

    And your "recovery pin" is essentially a password, so when that database is stolen... ??? Let me guess, they will say it's all the users fault..

  15. PaulVD

    But biometric identification is not secure either

    People keep reusing their fingerprints on different sites.

    1. Anonymous Coward
      Anonymous Coward

      Re: But biometric identification is not secure either

      Acknowledge posted in jest - but how is this prevented?

      I bit the bullet and purchased a seperate 2G phone for 2FA in connection with my usable smartphones. Yes, it's a PITA but the 2G phone rarely leaves my house, and the battery lasts a month. If I forget to carry it, and it's needed outside my house, there's an alternative number registered to a 3gG smartphone that I usually carry outside my house, that authenticates a transcation with a unique passcode. This works. WTF is Microsoft trying to do, other than expand their sales of customer data that they can force?

      My debit card is authorised up to £30 per signature/login-free tranaction in supermarkets, my credit card is also authorised up to £100 per transaction and pays commission on payments . - so I use it. It would be dangerous if an unauthorised person got hold of it, but that rather depends on the algorithm before my bank requires a PIN. I cannot see what Microsoft is offering better. Anybody - any suggestions please.

  16. petef

    Good while Authenticator works

    This afternoon my broadband dropped out twice for a few minutes at a time. Openreach are rewiring the cabinet round the corner from me. On both occasions I could not reconnect to my company VPN because Authenticator failed to respond. I reset the phone which seemed to jolt it back into life.

  17. Tron Silver badge


    I hate 2FA with a passion. Clicking the 'I am not a robot' box, counting the tiny thumbnails of tractors and then having to get a text on a dedicated phone just to buy something for two quid on ebay. THIS IS TOO MUCH EFFING AUTHENTICATION.

    Now migrating it to m$? No. Take it and stick it up your back Gates.

    I would rather use Linux. I would rather use Apple. I would rather use an Amiga. I would rather send a fax. I would rather contract an STD.

    Password are fine. Just give idiots and simpletons another option.

    For those with limited comprehension in MS management, that is a NO.

    1. Ken Hagan Gold badge

      Re: F2FA.

      "I would rather contract an STD."

      Hmm. That depends on the means of transmission, surely.

  18. Ace2 Silver badge

    Use an app at $work for this

    The authenticator app is fine, I guess. But if you go and look at its reviews on the App Store, there are hundreds of people on there complaining that they enabled it for their Idiotgram account, but then broke or lost the phone, and found themselves locked out. FOREVER. You have to set up some sort of backup / recovery thing or your account is unrecoverable.

    1. AndrueC Silver badge
  19. Purple-Stater

    Lost & Found Problems

    I'm a hotel manager. My Lost & Found ends up with at least a couple smartphones a month, either left behind in rooms or dropped in the parking lot. Roughly 50% of the owners are able to be identified because they had no sort of security settings on their phone.

  20. oehmsmith

    What about every other site

    The comments have been honing in on MS so far. But their vision of a passwordless future requires all sites are able to participate. Will we use a similar system to OAuth now where we can have a couple big players who "represent" you? I don't use OAuth much as I don't want them building a picture of me. Yes yes I know - the Facebook Javascript on a page i visit gives me away anyway - that is just as evil and must change (I use FaceBook container in Firefox to prevent this tracking). Also these handful of Identity Providers could be a central point of failure.

    SQRL (Squirrel -, is an easy to use, fully secure and anonymous auth system. I have no affiliation excepting being a listener to the Security Now podcast (which I can't recommend enough - - part of the TWIT network).

    1. Charles 9

      Re: What about every other site

      Paul Rogers may have something to say about SQRL.

      Also read this.

  21. hoola Silver badge

    What about MFA?

    I thought that the push has been towards MFS, now unless I have been in asleep for the last few years my understanding is that MFA stands for Multi Factor Authentication.

    Removing one of the forms of authentication and just using an App on an additional device is not Multi Factor, it maybe Multi Device but that is a different issue. Both are likely to be in the same place at the same time and the actual authentication could even be initiated on the very device that is being used.

    To me this looks like a smoke and mirrors thing where, for some reason all sorts of Apps and recognition doohicky bits are perceived to be more secure.

    Surely you need at least one part of the authentication that is dynamic and committed to memory.

  22. Nisseparlemo

    Why is still something we dispute???

    I have been working with IT Security for many years, actually worked for the first Swedish company who publicly announced that they had been hacked. Guess how the intruders got in through our modem pool? (drum roll) ----> Username + static password!

    This was over 30 years ago!

    How come we are still stuck with the same, extremely poor, way to secure our assets?

    The sad fact is that most “people” don’t care about their IT Security, they just want to get on with their day.

    I’d like to compare IT with the car industry.

    When cars were first introduced, there were no rules, no driver’s licenses, no street lights, etc. On top of that you had to make sure you brought spare parts and mechanical knowledge to keep the car going. Plus, of course, not to mention that driving the car was a real danger for both the driver, passengers as well as pedestrians. Who knew if those brakes would function the next time?

    Fast forward to now. Take a modern car with all its security features, a sane driver with a driver’s license following the regulations (keep to the speed limit, follow the street signs, stay in your lane, etc). I would argue that it is extremely difficult to get yourself injured or killed under these circumstances.

    How many people drive around with a driver’s license, an inspected car, air bags, ABS, etc? I’d say the majority is following the rules or “best practices”. Why is that?

    Hmm, maybe because it is illegal to drive without a license?

    Maybe you would fell unsafe driving around in a car without functioning headlights?

    Whatever it is, there is a certain threshold of security we want to see before driving away in a car and this I would call “common sense”. Ever heard of that?

    But, when we talk about security in IT, it seems like we prefer to totally forget about “common sense” and instead just go for the easiest way out. Security is just a hinder.

    But, as the article points out, one of main entry points for successful attacks is through username/passwords, and I cannot understand how we still can argue all day long about how important and vital it is too keep this big vulnerability in our IT systems.

    For elderly people (older than myself  ) the way I have done it is by using common password manager vaults and/or multiple authentication methods. For instance, I have linked both my older relatives devices as well as one of my own devices to their accounts. That way I can help them to log in when needed. And, this is a relief for all of us. Just imagine being able to help your father without having to travel every time!

    Since we are moving towards password-less solutions, the need to remember passwords (and usernames) is going away. I am a big fan of this technology since it truly makes our life more secure and easier (yes, I hear the arguments against easy, but once you are over the hill, the pastures are green. I made it over that hill years and years ago..)

    For myself, I have 100’s of accounts, mixtures of all kinds of logins but I don’t have to remember any password. If the service I log in to only supports username/password, I keep this in my password vault and for the most part enjoy automated login. For all other logins, I am using an app or a physical security key.

    My hope is to one day find that the world has become a safe place!

    1. Anonymous Coward
      Anonymous Coward

      Re: Why is still something we dispute???

      Fine in theory - until Microsoft database is breached - then what?

  23. mdubash

    And if you use a password manager to generate and use long, obscure passwords, will MS insist that you throw that away?

  24. Msitekkie

    But where are all the Windows Hello keyboards?

    Great idea, but where are all the keyboards with Windows Hello support? I have been looking to change over to fingerprint recognition since Windows 10 was launched, but the hardware support, just isn't out there (unless you buy a laptop).

    We have been using fingerprint recognition on our phones now for years and what a convenience boon, especially as banks and password managers are supporting it - another reason people are using PCs less...

    My latest attempt to move in this direction is to buy a really old Microsoft Internet Keyboard Pro with an integral USB port that I can try one of those USB fingerprint readers on - although as it will be hidden round the back, I will probably struggle to get the family to use it. Maybe I can customise the keyboard to fit it in a more prominent position.

  25. Snake Silver badge

    Re: What to do with bad memory?

    Don't give them a computer in the first place :-p If they are THAT bad then constantly having to remind them of what a "mouse" does must grow tiresome indeed.

    1. Charles 9

      Re: What to do with bad memory?

      Yes, but it's also become the ONLY way to check on a lot of important things like bank accounts, medical appointments, and senior benefits...

  26. whitepines
    Big Brother

    Anyone else notice the nice subtle change (at least in some jurisdictions outside Blighty) from a legally protected login key (password) to one that can be legally coerced or stolen (face ID, thumbprint, etc.)?

    Not that it matters much in the face of Microsoft's ability and willingness to sift through its users' data for any purpose in the first place!

  27. nonpc

    Coercive theives are ahead of the game

    I saw a news article very recently that the modern equivalent of marching the vulnerable to the cash point and forcing them to withdraw cash can now be done from the comfort of their home or elsewhere and forcing them to share the authenication codes to allow bank transfers to the criminals interim accounts. Finger scans can be physically forced (although recognition is so variable there can be enforced lockout delays incurred even with normal use).

    What is needed is an emergency authentication pin as well as the normal one, but this one alerts the system that this is an enforced criminal act, appear to allow the transactions through but activates tracking etc, hopefully letting the victim off the hook but catching the bigger fish (or phish)...

    1. Charles 9

      Re: Coercive theives are ahead of the game

      Thing is, duress codes are tricky. Savvy crooks would be aware of these and have ways to coerce you into using the real real code instead of the duress code, such as keeping a hostage.

  28. Adelio

    Thank goodness I never went down the route of creating and using a Microsoft Account. The less information I give them the better,

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like