Web information

This World Password Day, Consider Ditching Passwords Completely

Did you know that May 5, 2022 is World Password Day?1 Created by cybersecurity professionals in 2013 and designated as the first Thursday of every May, World Password Day aims to foster good password habits that help secure our online lives. It might seem odd to have a day set aside to honor something hardly anyone wants to deal with, like having a holiday to file their income taxes (in fact, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and just about everything else, the security of our accounts is more important than ever. Passwords are not only difficult to remember and track, but they are also one of the most common entry points for attackers. In fact, there is 921 password attacks every secondalmost doubled in frequency in the last 12 months.2

But what if you didn’t have to manage passwords at all? Last fall, we announced that anyone can completely remove their Microsoft account password. If you’re like me and are happy to ditch passwords altogether, read on to learn how Microsoft makes it possible to start enjoying a password-free life today. Still, we know that not everyone is ready to say goodbye to passwords, and that’s not possible for all of your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as some exciting news from our collaboration with the FIDO Alliance on a new way to log in without a password.

Free yourself with a passwordless login

Yes, you can now enjoy secure access to your Microsoft account without A password. Using the Microsoft Authenticator app, Windows Hello, a passkey or verification code sent to your phone or email, you can use any of your Microsoft apps and services without a password. Just follow these five steps:

  1. Download and install Microsoft Authenticator (linked to your personal Microsoft account).
  2. Sign in to your Microsoft account.
  3. Choose Security. Below Advanced security optionsyou will see Account without password in the section titled Additional security.
  4. To select To light up.
  5. Approve notification of Authenticator.
The Microsoft Authenticator app notification confirming the user's password has been removed.

Once you approve the notification, you will no longer need a password to access your Microsoft accounts. If you decide you’d rather use a password, you can always go back and turn off the no-password feature. At Microsoft, nearly 100% of our employees use passwordless options to sign in to their corporate accounts.

Strengthen security with multi-factor authentication

One simple step we can all take to protect our accounts today is to add multi-factor authentication, which blocks 99.9% of account compromise attacks. The Microsoft Authenticator app is free and offers several authentication options, including one-time passcodes (TOTP), push notifications, and passwordless login, all of which work for any site that supports supports multi-factor authentication. Authenticator is available for Android and iOS and gives you the option to enable or disable two-step verification. For your Microsoft account, multi-factor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you will only need your primary connection.

Microsoft Authenticator screen showing different accounts including: Microsoft, Contoso Corporation, and Facebook.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts can make our online lives easier, but it also leaves the door open. Attackers routinely scour social media accounts for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-crack passwords. to memorize. A recent study found that 68% of people use the same password for different accounts.3 For example, once a password and email combination has been compromised, it is often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.

Some basics to remember: Make sure your password is:

  • At least 12 characters.
  • A combination of upper and lower case letters, numbers and symbols.
  • Not a word that can be found in a dictionary, or the name of a person, product or organization.
  • Completely different from your previous passwords.
  • Changed immediately if you believe it may have been compromised.

Point: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, then autofill them when accessing your accounts. Also, keep these other tips in mind:

  • Only share personal information in real time, in person or over the phone. (Watch out for social media.)
  • Beware of messages containing links, especially those that ask for personal information.
  • Beware of messages with attachments, even from people or organizations you trust.
  • Activate the lock function on all your mobile devices (fingerprint, PIN code or facial recognition).
  • Make sure all apps on your device are legit (only from your device’s official app store).
  • Keep your browser up to date, browse incognito mode and enable pop-up blocker.
  • Use Windows 11 and enable tamper protection to protect your security settings.

Point: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” “A green.” This helps fend off attackers who might use information extracted from your social media accounts to crack your passwords. (Just make sure the unrelated answers are something you’ll remember.)

Passwordless authentication becomes commonplace

In a historic collaboration, the FIDO Alliance, Microsoft, Apple and Google have announced plans to expand support for a common passwordless login standard. Commonly called access keys, these multi-device FIDO credentials provide users with a platform-native way to quickly and securely log in to any of their devices without a password. Virtually tamper-proof and available on all your devices, a passkey lets you log in simply by authenticating yourself with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

  1. Users can automatically access their access keys on multiple of their devices without having to re-register for each account. Simply authenticate to your platform on your new device and your access keys will be there, ready to use, protecting you against device loss and simplifying device upgrade scenarios.
  2. With access keys on your mobile device, you can sign in to an app or service on almost any device, regardless of the platform or browser the device uses. For example, users can sign in on a Google Chrome browser running on Microsoft Windows, using a password on an Apple device.

These new features should be available on Microsoft, Apple and Google platforms from next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re excited to join the FIDO Alliance and other industry players in supporting a common standard for user experience. secure and consistent authentication. Learn more about this open standards collaboration and exciting upcoming passwordless features for Microsoft Azure Active Directory in a blog post by Alex Simons, Vice President, Identity Program Management.

Helping you stay safe all year round

Learn more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the full guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyber threats, and more.

To learn more about Microsoft security solutions, visit our website. Bookmark the Security Blog to follow our expert coverage on security issues. Also, follow us on @MSFTSecurity for the latest cybersecurity news and updates.

1World password day, national holiday calendar.

2Based on Microsoft Azure Active Directory (Azure AD) authentication log data. 2022.

3US Password Habits 2021, Security.org. October 1, 2021.