I think Microsoft should make people log in with their password once a month.

[+Warwagon MVC]

I think Microsoft should really ask a user for their windows / Microsoft account password once a month to log in. It goes something like this. They sign the user up for a Microsoft account, then they also create an account pin, then proceed to never ask the user for their Microsoft account password again.

 

When the time comes around when they need it, I ask them to enter it and they enter 4 numbers. When I tell them no, that's your pin, what's your password they have zero idea.

 

It should work just like an iPhone. upon restart you can't use your finger print until you authenticate with your pin. You shouldn't be able to use your pin unless you authenticate with your password. Because most people I help always never know their password.

[Joe User]

I think that's a very quick way to reusing poor passwords and keeping sticky notes.

 

It makes much more sense for people to install Microsoft Authenticator and use it for authentication.

 

[+Warwagon MVC]

On 17/09/2021 at 14:42, Joe User said:

I think that's a very quick way to reusing poor passwords and keeping sticky notes.

 

It makes much more sense for people to install Microsoft Authenticator and use it for authentication.

 

That's even worse, I have such LOW faith in the average user. How do they recover if they loose their phone with the authenticator? They are probably too stupid to backup the backup codes. Had someone last week save her Quicken backups to her desktop on her computer. I asked her if she has ever saved them to a flash drive she said no, she just backs them up to her computer.

 

It's also funny when I have to help them get in. They just think they can magically type in a different password and it will work.  Or, that I can magically just reset their password. I'm like uh no, only if your recovery options are in order. Essentially they think I can just hack their account and change their password.

[Joe User]

On 17/09/2021 at 14:43, warwagon said:

That's even worse, I have such LOW faith in the average user. How do they recover if they loose their phone with the authenticator? They are probably too stupid to backup the backup codes. Had someone last week save her Quicken backups to her desktop on her computer. I asked her if she has ever saved them to a flash drive she said no, she just backs them up to her computer.

 

It's also funny when I have to help them get in. They just think they can magically type in a different password and it will work.  Or, that I can magically just reset their password. I'm like uh no, only if your recovery options are in order. Essentially they think I can just hack their account and change their password.

If they lose their phone, they recover with the computer or email. If they lose their computer, they recover with the phone or email or sms. If they lose everything, their password is the least of their worries. 

 

There comes a point where you can't make it any easier for them without sacrificing security. Requiring that they pull out an infrequently used password every 30 days isn't a solution to making them remember that password, it's just going to make them write it on a sticky note.

 

 

[+chaos mage Subscriber²]

I no longer have a password on my account so it'd be difficult to type it in.

[Sir Topham Hatt]

Although the thing I don't like about MS Authenticator is that I have to select the number.

Why?

I already need my thumbprint.

 

While I'm not a huge fan, this is one area Google have right.