1 Billion Passwords To Be Replaced—Act Now To Stay Safe – Forbes
Microsoft to replace 1 billion passwords.Passwords are no longer fit for purpose. That undeniable truth has been evident for some time, but most recently, reports of one billion passwords stolen by malware and lists of the same circulating for sale have brought the realization that something needs to change front and center of the security debate once more. Microsoft is not a stranger to taking bold security decisions, but this could be the boldest yet: replacing passwords for a billion users. Here’s what you need to know.That Microsoft is pushing for a move away from passwords to passkeys as the preferred authentication technology should come as no surprise, as the tech giant’s desire to go passwordless has hardly been a secret. What has been less evident until now is how that security transition will likely take place. An identity and access management security posting by Microsoft’s group product manager, Sangeeta Ranjit, and principal product manager, Scott Bingham, changed all that. “There’s no doubt about it,” the pair said, “the password era is ending. Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.”And, oh boy, are they. A new breached password report from the Specops Software research team analyzed 1,089,342,532 stolen passwords captured over a 12-month period. Those passwords were compromised by infostealer malware. “Even if your organization’s password policy is strong and meets compliance standards, Darren James, senior product manager at Specops Software, said, “this won’t protect passwords from being stolen by malware.” This is where Microsoft is stepping in and standing up by pushing the move to passkeys as forcibly as it can. “Passkeys not only offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN,” it said, “but they also aren’t susceptible to the same kinds of attacks as passwords.”The task ahead is not an easy one, though, as Microsoft has conceded. Even if it were to get all one billion plus users to enroll a passkey, that would still likely leave many with a passkey and a password. That booth can grant access to the account means, as is pretty apparent, the password compromise risk remains. The ultimate aim, therefore, Ranjit and Bingham said, is to rely on phishing-resistant credentials only and “remove passwords completely.”First of all, there are the security statistics which, according to Microsoft, include:Then there is the use of the subtle, and not so-subtle, nudge in the most secure direction. “The most natural enrollment opportunity is when a user initially creates an account,” Microsoft said, but also found that the use of nudges when they weren’t expecting it proved highly effective. “About 25% of users who saw a nudge engaged with it,” Microsoft said, “approximately 24% of users shown a message emphasizing security clicked through while approximately 27% of users shown messaging about speed clicked through.”What Microsoft isn’t doing with these nudges is letting you permanently opt out of passkey invitations, but rather just “skip for now” so that further nudges are to be expected.“As people become increasingly familiar with the usability and security benefits of passkeys,” the Microsoft managers concluded, “they’ll be more likely to enroll and use them on more sites. Together, we can convince billions and billions of users to enroll passkeys for trillions of accounts!” So, if you see a prompt from Microsoft to replace your passwords with a passkey, you know what to do: jump at the chance to be at the forefront of better security.One Community. Many Voices. Create a free account to share your thoughts. Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.In order to do so, please follow the posting rules in our site’s Terms of Service. We’ve summarized some of those key rules below. Simply put, keep it civil.Your post will be rejected if we notice that it seems to contain:User accounts will be blocked if we notice or believe that users are engaged in:So, how can you be a power user?Thanks for reading our community guidelines. Please read the full list of posting rules found in our site’s Terms of Service.
