Tech giant Microsoft is going passwordless, meaning users can completely remove their password from Microsoft accounts.
Passwordless has been a hot topic of conversation as cybercriminals have long exploited weak or stolen passwords to gain access to accounts. Going passwordless means reducing or eliminating the use of passwords by requiring one or more alternative authentication factors when customers and/or employees log in to apps or systems.
In March, Microsoft made passwordless sign-in generally available for commercial users. Now Microsoft users can completely remove the password from their account. Instead, they can use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to their phone or email to sign in apps and services such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. Microsoft will roll out the feature over the coming weeks.
Weak Passwords Major Entry Point for Cybercriminals
In her blog, Vasu Jakkal, Microsoft‘s corporate vice president of security, compliance and identity, said passwords are too vulnerable.
Microsoft’s Vasu Jakkal
“Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts,” she said. “There are a whopping 579 password attacks every second. That’s 18 billion every year.”
Passwords are vulnerable for two big reasons, Jakkal said. One, creating those that are both secure enough and memorable enough is a challenge. Passwords are “incredibly inconvenient” to create, remember and manage across all accounts.
Two, forgetting a password can be painful, so people try to create passwords they can remember, relying on known and personal words and phrases, she said.
“Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess,” Jakkal said. “A quick look at someone’s social media can give any hacker a head start on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.”
Hackers can also use automated password spraying to try many possibilities quickly, she said. They can use phishing to trick you into putting your credentials into a fake website. These tactics are relatively unsophisticated and have been in play for decades, but they continue to work because passwords continue to be created by humans.
Scroll through our slideshove above for cybersecurity experts’ thoughts on Microsoft going passwordless; plus, other cybersecurity news.