Microsoft Warns All Users To Delete Passwords—This Is Why
It’s time to hit delete
Microsoft is on a mission to delete your passwords. In just three weeks, the company will delete passwords saved within its Authenticator app, which will just be for passkeys moving forward. But it warns users is to delete passwords elsewhere as well.
While Microsoft pushes users to passkeys, it’s not enough. “Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing.”
Passwords are weak, they breach, they’re stolen, and often they’re easily guessed. The news this week that sensitive McDonald’s employment data was accessed by “hackers who tried the password 123456” on an AI system tells you all you need to know
Unsurprisingly, “123456” tops the Nordpass annual list of the worst passwords in use around the world. It’s closely followed by “123456789,” “12345678” and “password.”
Microsoft says with passkeys, “we can truly replace passwords with something faster, safer, and easier to use. It’s an ambitious vision, but we firmly believe in a phishing-resistant future for all scenarios, including account recovery and bootstrapping.”
Top 10 “worst” passwords words.
Per PC World, “security researcher Ian Carroll gained access by logging into an Olivia [AI chatbot]
administrator account using ‘123456’ as both the username and password. This gave Carroll access to sensitive information, including the names, addresses, phone numbers, and email addresses of [McDonald’s] job applicants, among other data.”
Unlike user names and passwords, passkeys link account credentials to the device you’re signed into, requiring a device security check (ideally biometric) each time you sign in. This makes it impossible to steal, bypass or even share the authentication.
This is even better than two-factor authentication, that unlike passkeys does give you codes that can be intercepted or shared, they can also increasingly be bypassed. This year we have seen a huge push for users to add passkeys from Microsoft, Google and others. But the majority of accounts still rely on older, weaker security.
Microsoft has gone furthest with its warning to actually delete passwords as well. As the FIDO Alliance told me, “this is an exciting and seminal milestone as Microsoft is taking passwords out of play for over a billion user accounts.”