Password1, Password2, Password3 no more: Microsoft drops password expiration rec

Password1, Password2, Password3 no more: Microsoft drops password expiration rec

For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.

The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don't like picking or remembering new passwords. Instead, they'll do something like pick a simple password and then increment a number on the end of the password, making it easy to "generate" a new password whenever they're forced to.

In the early days of computing, this might have been a sensible trade-off, because cracking passwords was relatively slow. But these days, with rainbow tables, GPU acceleration, and the massive computational power of the cloud, that's no longer the case—short passwords are a liability, so any policy that makes people favor short passwords is a bad policy. It's better instead to choose a long password and, ideally, multifactor authentication, supplementing the password with a time-based code or something similar.

Read 3 remaining paragraphs | Comments

New Windows 10 build silences Cortana, brings passwordless accounts

New Windows 10 build silences Cortana, brings passwordless accounts

The latest Insider build of Windows 10, 18309, expands the use of a thing that Microsoft has recently introduced: passwordless Microsoft accounts. It's now possible to create a Microsoft account that uses a one-time code delivered over SMS as its primary authenticator, rather than a conventional password.

In the new Windows 10 build, these passwordless accounts can be used for logging into a machine locally. The initial sign-in will use SMS, and it will then prompt you to configure biometric or PIN authentication. Your face, fingerprint, or PIN will be used subsequently. This capability is in all the editions, from Home up to Enterprise. A few previous builds had constrained it to Home only.

While SMS-based authentication has security issues of its own, Microsoft seems to feel that it's a better bet for most home users than a likely insecure password. Removing the Windows login password is part of the company's broader efforts to switch to using a mix of one-time passwords, biometrics, and cryptographic keys.

Read 3 remaining paragraphs | Comments

Microsoft offers completely passwordless authentication for online apps

Article intro image

Applications using Azure Active Directory (AD) to authenticate—a category that includes Office 365, among other things—will soon be able to stop using passwords entirely.

Azure AD accounts can already use the Microsoft Authenticator app for two factor authentication, combining a password with a one-time code. With the new passwordless support, authentication is handled entirely by the app; the app itself represents "something you have," and this is combined with either biometric authentication or a PIN. Passwords have a long, problematic history; while they can be very strong, if suitably long and suitably random, human passwords are often short, non-random, and reused across multiple sites. App-based authentication avoids this long-standing weakness.

Enabling two-factor authentication is just one of the things that organizations can do to improve their security. To that end, Microsoft has extended "Microsoft Security Score," a tool used to assess organizational policy and provide guidance on measures that can be taken to harden an organization against attack. Secure Score already spans Office 365 and Windows security features; to these, Microsoft has added Azure AD, Azure Security Center, and Enterprise Mobility Suite, covering a wider range of settings and options.

Read 2 remaining paragraphs | Comments

Practical passwordless authentication comes a step closer with WebAuthn

Enlarge (credit: Pablo Viojo / Flickr)

The World Wide Web Consortium (W3C) and FIDO Alliance today announced that a new spec, WebAuthn ("Web Authentication") had been promoted to the Candidate Recommendation stage, the penultimate stage in the Web standards process.

WebAuthn is a specification to allow browsers to expose hardware authentication devices—USB, Bluetooth, or NFC—to sites on the Web. These hardware devices enable users to prove their identity to sites without requiring usernames and passwords. The spec has been developed as a joint effort between FIDO, an industry body that's developing secure authentication systems, and W3C, the industry group that oversees development of Web standards.

With WebAuthn-enabled browsers and sites, users can sign in using both integrated biometric hardware (such as the fingerprint and facial-recognition systems that are widely deployed) and external authentication systems such as the popular YubiKey USB hardware. With WebAuthn, no user credentials ever leave the browser and no passwords are used, providing strong protection against phishing, man-in-the-middle attacks, and replay attacks.

Read 3 remaining paragraphs | Comments