Passcode security

Thanks to many respondents on this forum, I have now set up passkeys on my three Hotmail/Outlook accounts on one computer. I have other computers and I am heartened by this MS post:

Will I still be able to sign into outlook with a password in august? - Microsoft Q&A

which seems to say that I will still be able to sign in to my accounts with a password in order to set up passkeys on other/new computers, one of which is in the mail to me. Whew.

I practice good password husbandry. I have no duplicate passwords. My browser does not the passwords from sites that involve money or important personal information. Want to see my login to Chronicle of the Horse? O.K. have at it, right there in Firefox. The others are on cards stored separately from the computer. It would take a thief who knows me well to find them.

Now that I have set up passcodes for my Microsoft accounts, it seems to me that my only protection is my 4 character PIN. I understand that passcodes will protect my login during transmission of information to other sites, but it seems to me that I now have much poorer security if, say, a laptop is stolen from a motel or even my home.

Once a person breaks the trivial PIN, and sets about finding my account, they will see what I see now, a screen that lists all of my MS accounts in bold print and offers one click access via my “Hello” passkeys.

What am I missing to keep myself safer?

-I can make a longer PIN, but no one seems to be suggesting that.

-I can use a password manager, but it will use a password to sign in.

I would appreciate your advice. Thank you!

Windows Hello has protections in place that prevents just entering all 10000 4 digit pins such that it would take about 13 years to enter them all since pin's get disabled for up to 2 hours before more can be entered.

Note that your Windows PIN and your passkey PIN (stored in Windows Hello) are two separate PINs and can be set independently.

Besides the antihammering feature of Windows PIN, you can also use a fingerprint scanner for authentication with Windows Hello and set a longer/alphanumeric Windows PIN. This way, you can remove the possibility of shoulder-surfing your 4-digit PIN and stealing your machine.

A password manager often has PIN/Windows Hello unlock, so you can use Windows Hello or another separate PIN to unlock it instead of the full password. Password managers can also store passkeys, but this can potentially reduce your security, depending on the password manager and how you protect it.

Thank you!

Will need to be configured or disabled Microsoft Recall.

echo2446 said:

Note that your Windows PIN and your passkey PIN (stored in Windows Hello) are two separate PINs and can be set independently.

Besides the antihammering feature of Windows PIN, you can also use a fingerprint scanner for authentication with Windows Hello and set a longer/alphanumeric Windows PIN. This way, you can remove the possibility of shoulder-surfing your 4-digit PIN and stealing your machine.

A password manager often has PIN/Windows Hello unlock, so you can use Windows Hello or another separate PIN to unlock it instead of the full password. Password managers can also store passkeys, but this can potentially reduce your security, depending on the password manager and how you protect it.

Click to expand...

echo2446, There is an encyclopedia of great information in this extremely clear post. I have so much going on IRL that I haven't gotten to implement all of what I have learned. I will definitely set up a separate Hello PIN for the laptop we travel with, plus a longer, alphanumeric, Windows PIN for it. I will unravel and apply the information in your third paragraph as I get a chance. I already see, and have posted about, the hazard I see in putting passcodes in a password manager. As I see it, there is also a hazard in using a password for a password manager, but maybe your first sentence of paragraph three will help with that.

Complicated passwords and 2FA or Yubikey is hundred times better then trusting windows biometrics
Windows biometrics (hello) have been hacked twice now.
First time with extracting and send the open signal on the TPM chip and also send fals signal of webcam for face recognition...
The second time thru the hardware firmware to enable all fingerprints as the right one.. even a screen-pen for touchscreens open windows and bypassed Bitlocker and all.

I wonder what the third hack will be.

Any recs for fingerprint scanners? I've looked at them on Amazon, and there's the usual Chinese stuff and more expensive ones from Kensington. I know you have to take reviews with a grain of salt, but all of them seem to have lots of problems. Also, is it possible to set this up and NOT use it for logons? I would only ever want to use fingerprint or Face ID to do things like unlock password managers. I would continue to use my password to logon, much like I do on my iPhone, with 6 digit PIN to unlock and then Face ID for apps. Apple's iCloud Password Manager made me set up a Windows Hello PIN, and I created like a 20 character random alphanumeric one I couldn't possibly use for logons, but it's still a logon method, and I don't know how to remove that capability without deleting the PIN.

As for hacks bypassing Bitlocker, my understanding is that has been for Device Encryption and doesn't apply to things like Bitlocker passwords and TPM+additional protectors like USB keys. Is this correct?

barreleye said:

As for hacks bypassing Bitlocker, my understanding is that has been for Device Encryption and doesn't apply to things like Bitlocker passwords and TPM+additional protectors like USB keys. Is this correct?

Click to expand...

I posted in another thread where they showed the last proof of concept on bypassing Biometrics.
It is a security researcher From Cisco Talos that shows how it works. (Patched should be fixed by now) but as i wrote in the other post... IT Security is a cat and mouse game.. what is secure today, might not be tomorrow.
and as it is the second time they bypass windows hello biometrics.. it will become a third, and a fourth and a hundred.

barreleye said:

Any recs for fingerprint scanners?

Click to expand...

I am using a Chinese metal-cased small portable scanner that I have been very happy with. It's about 2½ years old, and it has shown no signs of breaking, even with me knocking it against things on my desk sometimes. If I put the right fingers on it, it mostly lets me through (except when moist). If I put the wrong fingers on it, it has never let me through.

For false-positive/false-negative reasons, the numbers advertised by the manufacturers are all obviously above the acceptable thresholds, but without independent reviews, they are almost meaningless to me.

barreleye said:

more expensive ones from Kensington. I know you have to take reviews with a grain of salt, but all of them seem to have lots of problems.

Click to expand...

Based also on the reviews, I think Kensington's models don't seem to fare better on durability, and although there is a warranty, some people seem to have problems with the claims. I personally wouldn't be buying Kensington if my current one ever needs replacement.

I do say, though, if portability is not a concern and buying a more expensive model isn't a problem, the desktop-type scanners (both Kensington and Chinese ones) seem to be more durable and receive better reviews compared to the thumb-type I am using.

barreleye said:

Also, is it possible to set this up and NOT use it for logons?

Click to expand...

No, biometrics on Windows is tied to Windows Hello, which is backed up with a PIN. To use it, you need to enable unlocking your Windows lock screen with Windows Hello.

barreleye said:

As for hacks bypassing Bitlocker, my understanding is that has been for Device Encryption and doesn't apply to things like Bitlocker passwords and TPM+additional protectors like USB keys. Is this correct?

Click to expand...

If you watch the reports regarding "breaking" BitLocker encryption with TPM, you'll also notice that nobody has reported such success with pre-boot PINs or additional keys (security key, etc.) enabled.

Realistically, once your computer is booted and at the lock screen, expensive and "limited"-availability forensic tools like Cellebrite will most likely give the person Admin account access, possibly even your own account. If you are concerned about these kinds of tools, available to governments and organized crime, etc., you can further protect yourself by using VeraCrypt to partially protect your more sensitive data. You would probably want to use an encrypting archiver/encryption tool to further protect your individual files as well.

Your Windows PC's data is best protected when turned off, with at least a pre-boot PIN for BitLocker enabled.

echo2446 said:

No, biometrics on Windows is tied to Windows Hello, which is backed up with a PIN. To use it, you need to enable unlocking your Windows lock screen with Windows Hello.

Click to expand...

Thanks, I can stop thinking about fingerprint scanners now. lol

echo2446 said:

If you watch the reports regarding "breaking" BitLocker encryption with TPM, you'll also notice that nobody has reported such success with pre-boot PINs or additional keys (security key, etc.) enabled.

Click to expand...

That's what has irritated me about the reports. They made it sound like "Bitlocker is broken!", but when I looked into them, I thought, "What a bunch of Chicken Littles!" What they did was impressive but ultimately irrelevant to me. I moved from TrueCrypt to Bitlocker in May 2014 when the devs declared the former insecure. That was memorable for me because I use FDE on all my drives, including two sets of bare backup drives. I had like 15 drives to convert. I've only ever used Bitlocker with preboot password or TPM+security key. I take the latter seriously enough to use Aegis Secure Keys, and I bought an extra two to go with my backups.

Marie SWE said:

Complicated passwords and 2FA or Yubikey is hundred times better then trusting windows biometrics
Windows biometrics (hello) have been hacked twice now.
First time with extracting and send the open signal on the TPM chip and also send fals signal of webcam for face recognition...
The second time thru the hardware firmware to enable all fingerprints as the right one.. even a screen-pen for touchscreens open windows and bypassed Bitlocker and all.

I wonder what the third hack will be.

Click to expand...

'

I saw my old post so i quote myself as it was so true
The third one became known as Yellow Key