I don’t know a single person who enjoys managing passwords. Given how much of my life is spent online and in various apps, keeping track of it all, ensuring they’re unique and regularly updated – it can quickly become overwhelming for me – and I’m a techie!
Which is why I’m so excited about today’s announcement that now you can remove the password from your Microsoft account and sign in using passwordless methods like Windows Hello, the Microsoft Authenticator mobile app or a verification code sent to your phone or email. This feature will help to protect your Microsoft account from identity attacks like phishing while providing even easier access to the best apps and services like Microsoft 365, Microsoft Teams, Outlook, OneDrive, Family Safety, Microsoft Edge and more. It’s so easy to go passwordless, I encourage everyone check out Vasu’s blog post for more details on how to get started today.
We also know that everyone is on their own passwordless journey, and the world isn’t entirely password-less yet. Which is why we’ve built tools that meet you where you are today and help keep your current passwords secure for other sites. In Microsoft Edge, for example, we have a comprehensive password management system with Password Monitor, password generator and the password health dashboard (1).
Now you can easily set Microsoft Edge to monitor the passwords you use across the web and alert you if one has been compromised, prompting you to update your password. Password generator helps you automatically create strong passwords when you create new accounts online – no more reusing the same password across sites! And the dashboard gives you one place to view your passwords across sites, letting you know if they’re strong enough and whether they’ve been used on other sites. You can also access your Microsoft Edge passwords on the go from the Microsoft Authenticator app when you sign in with your Microsoft account. And all of this is done with your privacy in mind – the underlying technology helps ensure that neither Microsoft nor any other party can learn your passwords while they’re being monitored in Microsoft Edge. If you’re not already using Microsoft Edge, you can learn more here.
Whether you need help managing your passwords more securely and easily or you’re going passwordless across all of your Microsoft apps and services, we have the tools to help keep you and your family safer across your digital world. We look forward to sharing more with you as we continue on the passwordless journey.
1 Password Monitor, password generator and the password health dashboard are available on the latest version of Microsoft Edge. Must be signed into a Microsoft account.
Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games.
We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either. In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.
But what alternative do we have?
For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.
Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.
The problem with passwords
My friend, Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft likes to say, “Hackers don’t break in, they log in.” That has stuck with me ever since I first heard him say it because it’s so true.
Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.
Why are passwords so vulnerable? There are two big reasons.
Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.
Forgetting a password can be painful too. I was shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.
To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. One of our recent surveys found that 15 percent of people use their pets’ names for password inspiration. Other common answers included family names and important dates like birthdays. We also found 1 in 10 people admitted reusing passwords across sites, and 40 percent say they’ve used a formula for their passwords, like Fall2021, which eventually becomes Winter2021 or Spring2022.
Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head start on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.
Hackers also have a lot of tools and techniques. They can use automated password spraying to try many possibilities quickly. They can use phishing to trick you into putting your credentials into a fake website. These tactics are relatively unsophisticated and have been in play for decades, but they continue to work because passwords continue to be created by humans.
Go passwordless today with a few quick clicks
First, ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account.
Next, visit your Microsoft account, sign in, and choose Advanced Security Options. Under Additional Security Options, you’ll see Passwordless Account. Select Turn on.
Finally, follow the on-screen prompts, and then approve the notification from your Authenticator app. Once you’ve approved, you’re free from your password!
If you decide you prefer using a password, you can always add it back to your account. But I hope you’ll give passwordless a try—I don’t think you’ll want to go back.
Learn more about going passwordless
We’ve heard great feedback from our enterprise customers who have been on the passwordless journey with us. In fact, Microsoft itself is a great test case—nearly 100 percent of our employees use passwordless options to log in to their corporate accounts.
You can read more about our passwordless journey in a blog from Joy Chik, Corporate Vice President of Identity, or hear more about the benefits for people using Edge or Microsoft 365 apps from Liat Ben-Zur. To learn more about how Microsoft solutions, such as Microsoft Azure Active Directory and Microsoft Authenticator, are allowing users in organizations to forget their passwords while staying protected, join our digital event Your Passwordless Future Starts Now on October 13, 2021.
Learn more about enabling passwordless sign-in with the Microsoft Authenticator app here.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.