Microsoft is Making Windows 10 Passwordless (theverge.com) 247
Microsoft is planning to make Windows 10 PCs work without passwords. From a report: While the company has been working on removing passwords from Windows 10 and its Microsoft Accounts for a number of months now, the next major update to Windows 10 next year will go one step further. You'll soon be able to enable a passwordless sign-in for Microsoft accounts on a Windows 10 device. This means PCs will use Windows Hello face authentication, fingerprints, or a PIN code. The password option will simply disappear from the login screen, if you decide to opt in to this new "make your device passwordless" feature. [...] This will also extend to business users through Azure Active Directory, allowing businesses to go fully passwordless with security keys, the authenticator app, or Windows Hello.
You'd have to be insane to use a "Microsoft accoun (Score:5, Insightful)
You'd have to be insane to use a "Microsoft account". The sheer *thought* of logging in to a Microsoft account and attaching it to your computer makes my skin crawl.
Re:You'd have to be insane to use a "Microsoft acc (Score:5, Insightful)
How is it any different from using your Google or Apple account to sign into your phone?
Re: (Score:3)
I just leave everything unlocked. The devices are for my convenience, not to inconvenience me,
I’ll never use the fingerprint reader. Turns out some of us have fingerprints that can’t be reliably read, no matter how many times we re-register out digits. And when I turn on my computer, I want it ready to go, not waiting for me to log in.
My phone is unlocked for MY safety. If I pass out in the middle of the street (it’s happened) I want the EMTs to be able to both see my medical informat
Re: (Score:2)
re unlocked for safety: my android shows that information even when locked
Re: (Score:3)
I want the EMTs to be able to both see my medical information and to contact my relatives and friends as necessary.
EMTs are not going to mess around with your phone to accomplish either of these things. EMTs will treat your symptoms according to their training until such time as your care is transferred to and accepted by a higher medical authority.
My pedantry aside, your point is taken.
Re: (Score:3)
My phone is unlocked for MY safety. If I pass out in the middle of the street (it's happened) I want the EMTs to be able to both see my medical information and to contact my relatives and friends as necessary.
Get a medic alert bracelet. EMTs (and ER nurses) know to look at those for information. They will not waste time checking you for a cell phone on the off chance it will give them useful information about your condition.
Re: (Score:2)
Re: (Score:2)
How is it any different from using your Google or Apple account to sign into your phone?
Neither of them have an uninterrupted 30+ year history of screwing over everyone who trusts them with anything.
Re: (Score:2)
Neither of them have an uninterrupted 30+ year history of screwing over everyone who trusts them with anything.
Except we are talking about accounts which in MS's terms would imply the long standing Hotmail account. Yeah Microsoft has a much longer history of not screwing customers over than Google or Apple.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And yet, you eat your boogers. Go figure.
Re: (Score:2)
You'd have to be insane to use a "Microsoft account". The sheer *thought* of logging in to a Microsoft account and attaching it to your computer makes my skin crawl.
Why? What's the basis for your unqualified statement? I mean Microsoft Accounts are good enough for Fortune 500 companies, so do you think my gaming PC is somehow going to have more risky material on it than my work computer which handles sensitive information?
Re: (Score:2)
Re:Or just too clueless. (Score:5, Insightful)
"Likewise if a plumber could not use a pipe cutter or a bricklayer user a trowel."
Well, they cut pipes and lay bricks and you need 2 people to do that.
And nobody ever asks them to uncut a pipe or make the pipes have a different color, the bricklayer is also never asked if it's possible to make the bricks bigger, when the house is finished.
If the uses and methods are unlimited, the time to learn these will be too, a computer is not a hammer.
Re: (Score:2)
Good! (Score:4, Interesting)
For those of us who are even a little tech literate, we always used good passwords by default. For the overwhelming majority of vidiots who cant's set the clock on their microwave, this is actually more secure for them.
Re:Good! (Score:5, Insightful)
For those of us who are even a little tech literate, we always used good passwords by default. For the overwhelming majority of vidiots who cant's set the clock on their microwave, this is actually more secure for them.
Secure from what? Most people have never given a fuck about logging on in the first place. To them its like having to enter a password when turning on the TV or game console.
Re: (Score:3)
"Secure from what? Most people have never given a fuck about logging on in the first place. To them its like having to enter a password when turning on the TV or game console."
Exactly! And since my computer is connected to my TV where I watch everything, I don't have a password for Windows as well.
Never had. Otherwise, uTorrent couldn't continue to pirate in the background when Windows decides to reboot for one reason or another in the middle of the night.
Re: (Score:2, Insightful)
How is a 4 digit pin better than a password?
Re: (Score:2, Informative)
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
Re: (Score:2)
If you think a "secret code" branded "PIN" is in any way different from a "secret code" labelled "password", you really have to be retarded.
Storing "secret codes" as a salted hash is more secure than storing them in plain text, but that doesn't mean they suddenly stop being "secret codes".
This is actually insulting.
Re: (Score:2)
They are different, a PIN would have each digit comprised of a number 0-9 where as a password would have far more possibilities with numbers letters and special characters. Either way people are still going use stupid things like the kid's/spouse's birthday, anniversaries, etc...
Re: (Score:2)
If you think a "secret code" branded "PIN" is in any way different from a "secret code" labelled "password", you really have to be retarded.
Yeah but not as retarded as someone who doesn't read the link and then says something completely irrelevant.
PINs have been hacked!!! (Score:5, Funny)
Re: (Score:2)
Re:PINs have been hacked!!! (Score:4, Funny)
I switched to a 8-digit PIN. You won't found that on any 4-digit PIN list!
What are you talking about. I found your numbers in that list TWICE!
Re: (Score:2)
How is a 4 digit pin better than a password?
I use a complex PIN on my Surface Pro, which basically resembles a normal password. Where a TPM is available, the PIN is secured by it.
Additionally, in the event you have your login tied to your MS account (which Windows tries to get you to do by default, so this is probably what most users do), the PIN will be more secure because all authentication is then local to the device.
Re: (Score:2)
For local connections Keyboard to Computer
Many levels of authentication has implicitly been processed.
The person gained physical access to the building, often with a key, or a key card, someone letting them in the building or a fob.
The person knows which computer to use, and which account to use.
The Person then know the pin.
Being a simple number it is easier and quicker to log in and also less of a hassle to lock you system when you are not around.
Now Pins will in general suck with network access, because a
Re: (Score:3)
This. They are bastardizing the term "PIN" but it is really just a device-specific password with alphanumeric characters. So in fact they aren't getting rid of passwords at all.
Bad: PIN codes! (Score:2)
...PCs will use Windows Hello face authentication, fingerprints, or a PIN code.
This means it will be less secure, not more since for the large number of devices without support for face or fingerprint recognition you are now reduced to a PIN code which has a limited number of digits all of which must be digits. This is just a subset of the strings allowed for a password which means it is neither passwordless nor more secure.
Re: (Score:2)
For those of us who are even a little tech literate, we always used good passwords by default.
Actually those of us who are tech literate use 2FA, and one of those factors does not have to be a password.
Re:Good! (Score:4, Insightful)
“A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects.”
Robert A. Heinlein
Find a better argument.
sonnets suck (Score:2)
Sonnets suck. Haiku rule:
Fresh break of the day
A lame, heavy sonnet flies
After the haiku
Re: (Score:2)
I love Heinlein's work but "Jack of all trades, master of none" can be bad advice.
i.e. There is a reason a brain surgeon is different from a regular doctor.
That said, it wouldn't hurt to be flexible and more knowledgeable. What was that "recent" story about how Young people can't fix anything [slashdot.org] anymore?
e.g. Everyone should know how to play a musical instrument. There are beautiful mathematics (geometry) in frequencies, chords and music. It is extremely short sighted that music theory and application is no lon
Simple face recognition by camera is not strong (Score:2)
I'm assuming they are using the laptop/desktop camera to unlock via face - that's super easily bypassed by a photo..
It is nice to have alternate login mechanisms (I use an Apple Watch), but eschpeially when Microsoft is logging you into all kinds of accounts that might have sensitive data with that Microsoft login, you want to be more cautious about security - not less.
Re:Simple face recognition by camera is not strong (Score:4, Interesting)
I would instantly reject the two options that would allow logins without my consent and PINs are less secure than a good password.
This whole thing is just Microsoft continuing its "i'm late to the party but I do that too (albeit badly)" attitude to features these days.
Re: (Score:2)
and PINs are less secure than a good password.
Is this ignorance talking?
Password: Stored locally on a drive, or sent to the internet for verification. PIN: Stored in TPM.
Password: Secured by software. PIN: Secured by hardware.
Password: Linked to account, know your password, great I now can use *all* your Windows based devices. PIN: Specific to device.
Password: Any complexity you like.
PIN: Any complexity you like.
Oh what you thought PINs had to be 4 digit numbers? Are you talking a Windows 10 machine or getting money from an ATM?
Re:Simple face recognition by camera is not strong (Score:5, Informative)
I'm assuming they are using the laptop/desktop camera to unlock via face
It requires an 3D mapping capable camera to enable it on Windows. A regular webcam won't work.
Thanks! (Score:2)
It requires an 3D mapping capable camera
Ok, that does make a lot more sense - except how many Windows laptops have that as a feature? Does the Surface even have that currently?
Re:Thanks! (Score:4, Informative)
It requires an 3D mapping capable camera
Ok, that does make a lot more sense - except how many Windows laptops have that as a feature? Does the Surface even have that currently?
Yes, surface currently has that. Here is a quick list of some other models with it (pretty sure it's not comprehensive): https://www.windowscentral.com/complete-list-laptops-support-windows-hello [windowscentral.com]
Re: (Score:2)
Ok, that does make a lot more sense - except how many Windows laptops have that as a feature? Does the Surface even have that currently?
Many laptops do. If your laptop is a premium device (Dell XPS, HP Specter, Lenovo Yoga) it is very high on the most likely compatible list. If your desktop computer webcam is 4K it pretty much very likely compatible as well. All Surface devices made since 2015 support it.
Though for webcams it does rule out the cheapies quite conclusively. The cheapest I've seen is the Lilbit for $65 but it's a damn crap webcam almost exclusively designed just for computer login.
Re: (Score:2)
Re: (Score:2)
Why would they make a replica instead of just using your face?
After they’ve used the $5 wrench to try to beat your password out of you because they misunderstood when you truthfully told them repeatedly that it was FuckYouPig? They’ll need to 3D print you a new face.
Re: (Score:2)
However there is much easier ways to get access to your data.
If your drive isn't encrypted then you just mount the data from a different OS (Say a Linux boot stick)
If it is, you can still copy the data, and brute force passwords until it has the right key.
Also being how must crap is now on the cloud, you just need to give a warrant to the company holding the data and get a hold of it that way.
Re: (Score:2)
If your drive isn't encrypted then you just mount the data from a different OS (Say a Linux boot stick)
If it is, you can still copy the data, and brute force passwords until it has the right key.
If you are on modern device using decent encryption software, the key for the encrypted volume will be stored in a hardware secure enclave (e.g. TPM) or secured by a device key stored in the secure enclave. Removing the drive won't do any good as then you'd need to brute force the key, not the passphrase.
Re: (Score:2)
It looks like he would be really good a Space Quest III
PIN versus password (Score:5, Interesting)
What's the difference between a PIN and a password?
Re: (Score:3)
less security, but greater ease of use I guess?
Seems like a pretty terrible decision.
Re: (Score:2)
Ties in with the Bitlocker maximum password length being 20 characters. Presumably 20 is NSA's hash table limit for AES-128, which is the Bitlocker default.
Re: (Score:3)
less security, but greater ease of use I guess?
Seems like a pretty terrible decision.
You'd be wrong. On Windows 10 a PIN can be as complex as you want up to a maximum of 127 alpha-numeric or symbolic characters. But the other benefits are:
- Tied to the device, not the account. Compromise a PIN and you compromise 1 device. Compromise a password and you have access to all MS devices, online emails, and cloud data.
- Being local a failed attempt doesn't attempt an internet connection to verify if an updated password is available on the MS account. While this connection should be encrypted it's
Re:PIN versus password (Score:5, Funny)
You don't get to choose "password" as your PIN.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
How many people are going to use a separate pin number for each computer? Most likely they'll use the same pin number they use on their bank cards and anything else that requires a pin number.
Re: (Score:2)
Exactly. So now compromising Windows 10 based home computer will be that much more lucrative - you will also likely to get victim's bank PIN.
Re: (Score:2)
Re: (Score:2)
The PIN can't be used for remote login (RDP, SMB, etc.). Also the PIN prompt screen will likely lock out after a small number of failed attempts. You then have to login using the real password, or wait a certain time.
Re: (Score:2)
Oh yes it can!
You tie that pin to an account and a domain.
But you have to know the complete account name and domain name and type it in by hand every time.
Username and pin isn't quite the same. At least this works with Active Directory.
Re: (Score:2)
it's not as if the account and domain name were secret
if you can connect remotely via SMB using only the PIN this is a big security flaw
Re: (Score:2)
Functionally, there needn't be one. My gaming PC at home is configured to use my Microsoft account, but I don't have my Microsoft account's lengthy, randomly-generated password memorized, which made logging in rather tedious, so I configured the PC to instead use a PIN. An alphanumeric PIN. An alphanumeric PIN that simply corresponded to the password I was previously using on that PC. Yay for "better security"?
Re: (Score:2)
And yet for all your silly hairsplitting alphanumeric pins are all over the place.
Re: (Score:2)
There is no such thing as an alphanumeric PIN. Next you'll be saying ATMs don't need to be machines and SUVs aren't actually vehicles.
Not so! ATMs are machines, yes, SUVs are vehicles, yes, PINs are numbers, yes, but there's nothing about numbers that requires they be expressed as Arabic digits ranging from 0 to 9, which is what I suspect has you confused.
For instance, many of us routinely express numbers alphanumerically when we deal with hexadecimal or other base systems that exceed the conventional ten digits used in decimal. And did you see what I just did in that last sentence? I expressed a number textually without any digits whatso
Re: (Score:2)
It's rare that I see someone fail so miserably at throwing an insult. At least have some awareness of the terms you're using before you try to beat someone up with them.
Dunning-Kruger is an effect, not an ailment. People don't "have" it. Besides which, it deals with the psychology of self-assessments, meaning it's entirely irrelevant in a conversation where no self-assessments have been made or provided, let alone any discussion about skill. Moreover, the effect refers to observations that apply at mutually
Re: (Score:2)
A PIN, being numerical, doesn't come with the requirement to have at least three each of lower case, upper case, numeric, punctuation, cyrillic, simplified Chinese, and Assyrian. That makes it much easier for the mobile proles who don't have a keyboard to enter it.
Re: (Score:3)
There is no requirement for the PIN in windows to be numerical. There is a requirement for it to be between 4 and 127 numbers letters or symbols in length though. And windows monitors for patterns, no qwerty, 1234, etc.
Re: (Score:2)
You don't enter the PIN on the computer, you enter it on your smartphone. The smartphone then communicates with the computer (BT, NFC, whatever) and tells it that you're authenticated. If that communication is implemented properly (certificate based, challenge-response, etc.) this scheme can be very secure and it makes it almost impossible for a remote attacker to break into your account.
Of course, it introduces a weakness for attackers who can physically steal your phone, but then again they could probably
Re: (Score:2)
You don't enter the PIN on the computer, you enter it on your smartphone. The smartphone then communicates with the computer (BT, NFC, whatever) and tells it that you're authenticated.
There are a lot of people who don't know what they are talking about in these comment section, but you're in a league of your own when it comes to being waaaaay off the mark.
You are talking about phone based 2FA, something completely different from a PIN on a Windows device, and something which by necessity actually forces you to set a PIN on a Windows device.
Replacing a bad system with...bad systems (Score:3)
Windows Hello face authentication: A system dependent on el-cheapo webcams with inconsistent features that certainly cannot meaningfully guarantee depth, so a half decent printed image can access it in most cases.
Fingerprints: The best of the lot, but the sorts of fingerprint readers built into computers are also inconsistent with their resolution. I've also had issues with drivers causing Windows to get cranky, and either people will have to have the foresight to register two fingers on each hand, or have an algorithm with enough latitude that its security gets undone.
PIN code: So, a shorter password with a more stringent lockout policy?
Security keys: So, a password that changes at intervals and is set by a third party?
Authenticator app: So, a password delivered via appy-app?
Windows Hello: Didn't we start with this?
Now look, I'm not arguing that these options aren't, at some level at least, ultimately a good thing, if for no other reason than because it puts Windows at parity with the mobile devices most people have grown accustomed to. Used security is going to be more secure than unused security, regardless of how well it ranks with having a password like //Slashd0+4@aIl2C2d@y, even if it doesn't land on a sticky note next to the monitor.
My point is simply that you don't get to call it 'going passwordless' when half the options are still a thing a user types in.
Re: (Score:2)
so a half decent printed image can access it in most cases.
Half decent printed image, with anti-spoofing disabled and a near IR photo looking directly into the camera. Also physical access to the machine and even then probably limited access. Also physical access to the user at some point to take a near infrared photo of the face from up-close.
A hacker in Russia has none of those things unless it's a highly targeted attack. In which case you're probably fucked anyway.
PIN code: So, a shorter password with a more stringent lockout policy?
And presumably no usage on websites whose password database has been hacked.
Security keys/Authenticator: So, a password that changes at intervals and is set by a third party?
Ditto to face and pi
Re: (Score:2)
A system dependent on el-cheapo webcams
I've never seen an el-cheapo webcam compatible with Windows Hello, and I've looked. The cheapest I've found is in the order of $60 and it's a terrible webcam being a specific login based device. Most Hello compatible webcams cost more than my 1TB SSD did.
Re: (Score:2)
Hate to double post but I should correct the rest of your post too.
A system dependent on el-cheapo webcams
I've never seen an el-cheapo webcam compatible with Windows Hello, and I've looked. The cheapest I've found is in the order of $60 and it's a terrible webcam being a specific login based device. Most Hello compatible webcams cost more than my 1TB SSD did. No, images do not work for bypassing the current version of Windows Hello.
PIN code: So, a shorter password with a more stringent lockout policy?
Why is it shorter? PIN codes have the same requirements as passwords. They must be less than 127 numbers letters or
Re: (Score:3)
Re: (Score:2)
Passwords are also device specific if you use a local account, not a M$ Spyonme account.
PIN's are managed by the TPM, not stored in a password file. If you do use a MS account (which a majority of users probably do, since it tries to get you to use it on first setup), then a PIN is significantly more secure. Because it's also managed by the TPM, your drive can be encrypted, and brute forcing becomes more difficult.
PIN's can (and should) be complex, just like a regular password.
There's really little reason not to use a complex pin over a traditional password.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Passwords are also device specific if you use a local account, not a M$ Spyonme account.
Who uses a local account? What is this, the 90s?
Re: (Score:2)
Pin is set after authenticating and is device specific.
How do you authenticate yourself to set the PIN if your device has no face or fingerprint recognition and the system is truly "passwordless"? Also how many users do you think set separate PINs for each device and don't just reuse the same PIN for all devices?
No thanks. (Score:5, Interesting)
I seem to recall hearing about a court ruling (related to Apple Touch ID) that your biometrics weren't protected by the Fifth Amendment, but a password was.
Re: (Score:2)
...biometrics weren't protected by the Fifth Amendment, but a password was.
When you consider that Microsoft has had NSA back doors into Windows for decades, it should come as no surprise that your security isn't at the top of Microsoft's list of concerns.
Re: (Score:2)
Re: (Score:2)
There aren’t THAT many things that you actually need to keep secret.
Re: (Score:2)
True.
But my point is that if such protections were ubiquitous, then nobody would bother to even try.
Also, information secured "between your ears" is still subject to the $5 wrench decryption method [xkcd.com].
If a wetware solution examined your own brain wave patterns and wouldn't allow access to otherwise secured content when you were under duress, then even that decryption approach would be defeated.
Thereby, again, achieving the des
Comment removed (Score:3)
Re: (Score:2)
No thanks. We're eliminating passwords while providing more security, not less security.
5th Amendment? (Score:3)
Re: (Score:2)
If law enforcement can thrust your face in front of your webcam they will just torture the password out of you or set you up, or throw you forever in prison because clearly you're a terrorist.
So if someone damaged my face and fingers (Score:2)
allowing businesses to go fully passwordless?? (Score:2)
What about laptops that are not on a network?
captive portal?
local admin (Non domain) accounts
Other admin users that may only need to login to a system to install stuff?
They just invalidated Active Directory (Score:2)
Just how is biometrics, PIN numbers, and/or face recognition work with AD credentials? We're going to have a horrible time dealing with this.
My Windows 10 Box is already Passwordless (Score:2)
Great (Score:2)
yes, but... (Score:2)
passwordless is a good idea. A really, really good idea. I've been following various schemes for years and tried a couple from back when smartcards were a thing.
So passwordless - yes!
But Microsoft? They're the last people on the planet whom I trust to get this right.
My question is... (Score:2)
...how long will it take for Apple to beat Microsoft to the punch? You mean Apple didn't already have this feature in the works??? Man, shareholders are just going to let Tim Cook ride Apple into the ground.
PIN=Password....kinda (Score:2)
Interestingly, I was able to make my PIN be an alphanumeric value of many characters so....still a password.
fingerprint (Score:2)
Re: (Score:2)
When it promps to scan my face, I'm going to stand up, unbutton my pants, and spread my asshole for the camera.
Then when i re-authenticate I will simply spread my asshole again for the camera.
We may be passwordless now but we are not giving up assholeless auth
That sounds like you’re using more arsehole, not less.
Re: (Score:2)
Re: (Score:2)
We help between 700 and 1000 people eat every week. We also help with disaster relief. People who are hungry or flooded out of their homes need people who do physical work to help them, not someone sitting i