A picture is worth a thousand words...
Posted on 05/03/2025 10:38:56 AM PDT by Openurmind
Microsoft is optimistic that our reliance on passwords is coming to a close.
Microsoft is once again moving closer to a passwordless future.
In a bold step toward embracing passkeys – which uses cryptography to better protect data from hackers and phishing scams – new Microsoft accounts will now be passwordless by default. Instead, the company will issue a prompt to set up passkeys as part of an effort to make the process more secure.
The need to get a better grasp on password protection comes at a time when many big tech companies are pushing to eliminate passwords altogether. Apple rolled out passkeys as part of iOS 16 in 2022, followed by Google, which allows people to sign in to Google and other popular accounts such as Amazon, WhatsApp and PayPal via fingerprint, face scan, PIN or pattern using a device's lock screen.
Now when a new Microsoft user attempts to enter a password and set up a "one time code" on their account, the company will prompt them to sign in with the code instead of the password and then encourage them to enroll a passkey. When they visit again, they'll be prompted to sign in with the passkey – not a password. Meanwhile, existing users can visit their account settings to delete their password.
(Excerpt) Read more at cnet.com ...
“Nope. Anyone can enter passwords. No encryption.”
From MS themselves:
“How are passwords stored in Active Directory?
Passwords stored in AD are hashed. Meaning that once the user creates a password, an algorithm transforms that password into an encrypted output known as a “hash”. Hashes are of fixed size so passwords of different lengths will have the same number of characters. They are designed to be one-way encryption so that once they are coded, no one should be able to break that code (theoretically).”
https://learn.microsoft.com/en-us/answers/questions/848370/salting-and-hashing
Passwords are hashed (one-way encryption) when stored in a database so if your account data is stolen they don't have your password.
When you enter your password what you enter is hashed and compared to the hash in the database to confirm you entered the correct password.
Uh-huh. I recently navigated this fiasco just to access a shared folder at work.
Train wreck. Great concept, poorly implemented. This on top of security changes affecting ms & google email to take effect in the Fall; I have little hope the latter will be much better.
Somebody please advise as to the predicted disaster which may occur if one loses/replaces their phone.
I made the grave mistake of signing onto HP’s automatic printer ink delivery program, which detects when your ink is low and sends it to you before you need it—NEVER, EVER do this— I loaded in a spare cartridge I bought at the store when I bought the printe, and HP detected that was not a cartridge from the Big Brother program, even though it was a genuine HP cartridge from the store; THEY REMOTELY DISABLED MY PRINTER!!! And when I tried to contact them or access my account, it would not process. I will NEVER own another HP product.
Ever.
“Somebody please advise as to the predicted disaster which may occur if one loses/replaces their phone.”
Even if it will even let you enter it into a field who is going to be able to remember a 256 bit encryption key?
I don’t subscribe to ANY subscription services. It doesn’t matter if it is Hardware, Software or other technology. I use Free Linux Mint and LibreOffice which are all free, but i do give them voluntary donations when I chose to. IMHO.
HP has been bad about this for years... Back when if you opted to load their driver in instead of just trusting MS plug and play drivers the HP software would take over your computer.
And I mean take it over, you would literally have to ask HP before you could do ANYTHING on your computer. Everything you did had an HP popup box you had to deal with before you could go any further.
The printer software would literally commandeer your box as if THEY owned it. You were lucky it didn’t disable your computer also until you satisfied HP...
“I don’t subscribe to ANY subscription services. It doesn’t matter if it is Hardware, Software or other technology. I use Free Linux Mint.”
Same here... No one owns us or our machine.
This has nothing to do with Microsoft.
93% of ALL cybersecurity breaches occur due to phishing. Ninety three percent... The grand majority of those are stupid simple passwords. Cryptographic keys such as YubiKeys are secure and phishing resistant, because you have to be in physical control of the key for it to work. It requires that you touch a button to activate it. It’s impossible for threat actors to leverage these, and they go elsewhere.
There’s no economy for threat actors when passkeys are adopted universally. The idea is to make it nearly impossible for a threat actor to establish a beachhead by making it impossible to login with a password. This is good practice and should be adopted.
Active Directory professional here. The passwords are stored in AD in a hash, yes, but tools like Mimikatz allow threat actors to get the hash out of the LSASS process on your machine and literally present the hash to login. It’s far and away the most common method to move laterally in a compromised corporate environment.
I understand hashing is not foolproof. And there are applications such as Corporate where this might be handy and needed. But this new MS feature should be an opt in feature. They are going to mandate it default across the board with no choice. In other words, they own your machine and you have no choice.
My exact response too. What is a passkey? Doesn't explain in the article.
they’ll be prompted to sign in with the passkey – not a password.
And the difference is???
“This has nothing to do with Microsoft.”
Of course it does... This is MS forcing this feature by default against everyone’s choice.
Of course there is a problem, but it is not the right of MS to claim ownership of your machine and force you to use it whether you want to or not.
And WITHOUT their phone.
“Passwords are hashed (one-way encryption)”
Technically,
Passwords are hashed on the server side. They are not encrypted before being sent.
Any secure site uses https:// (extension of the HTTP communications protocol to support TLS encryption), so the entire transmission is encrypted.
You should never enter anything sensitive on any site that doesn't use it.
A picture is worth a thousand words...
Have you checked out the “Gemini” Protocol? Pretty cool use of TLS Certs for secure end to end connections like is common. But it does it through the wild net and is truly tunneled end to end or it will not even make a connection to the personal servers.
Your last sentence betrays your ire. This isn’t about Microsoft it’s about Windows and software licensing, I’m on board with you on the subscription service crap.
As far as identity goes, which has been my field for 30 years, passwordless is the future and it’s about damn time we’re here. We’ve been fighting passwords since at least 2008, if not earlier, because they’re ALWAYS the first vector of attack for threat actors.
Microsoft isn’t the only entity doing this. Passkeys are available across a lot of financial institutions, government agencies, education establishments, and industrial areas. They are helping to secure environments against the most prevalent threat to any entity: garbage passwords and lazy users.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.