Almost every year, Microsoft publishes a blog post emphasizing the need to ditch passwords completely and transitioning to modern forms of authentication such as password-less sign-in and multi-factor authentication (MFA). On World Password Day this year, the company has once again written a piece about this transition and encouraged customers to ditch passwords altogether.
In a blog post, Microsoft's Corporate Vice President, Security, Compliance, Identity, and Management Vasu Jakkal writes that passwords are the most common attack surface for malicious actors and there are 921 attempts on them every second - this frequency has doubled since last year. Additionally, passwords are hard to remember and keep track of, especially if you're working in a heterogeneous environment.
Last year, the Redmond tech giant rolled out the capability to remove passwords from your Microsoft Account and yesterday, it also partnered with Google and Apple through the FIDO Alliance and the World Wide Web Consortium to develop and support a common password-less standard.
For now, Microsoft is encouraging customers to consider ditching passwords completely and instead using Windows Hello, security keys, and multi-factor and password-less authentication via the Microsoft Authenticator app.
However, if you do intend to keep using passwords in the near future, Microsoft has recommended the use of Password Generator in Microsoft Edge as well as the following criteria for any new password you configure:
- At least 12 characters long
- A combination of uppercase and lowercase letters, numbers, and symbols
- Not a word that can be found in a dictionary, or the name of a person, product, or organization
- Completely different from your previous passwords
- Changed immediately if you suspect it may have been compromised
The third tip in the list above is rather interesting because last year, the UK government was actually encouraging people to use passwords that are a combination of three random, but real, words. Another interesting approach that Microsoft has recommended is that people should give off-topic answers to security questions to throw off attackers. For example, in a security question about your birthplace, you could answer with "Green". This ensures that even if an attacker has access to some of your basic info, they probably won't be able to answer your security questions. That said, the difficulty in this approach also relates to memorizing off-topic answers.
Overall, Microsoft has still reiterated that password-less sign-in will soon become the norm so it's better to start adjusting to this new reality right now.