Blog

Microsoft announced last week that users can now log in to their accounts without a password, partly because passwords are vulnerable, but it is precisely Microsoft that has broken passwords, says Kyle Rankin, chief security officer (cso) of computer and smartphone manufacturer Purism. Rankin argues that Microsoft’s poor password policies for Active Directory caused users to end up making poor password choices. Through Active Directory, system administrators can manage workstations and enforce policies from a central location. “The first password many people had to remember was the one they used to log into their workstations, so Microsoft’s password policy quickly became the gold standard for passwords everywhere, not just at work,” Rankin said. Active Directory made it easy for organizations to implement Microsoft’s recommendation to change passwords every month or quarter. These Microsoft “best practices,” such as periodically changing passwords and password complexity requirements, allowed users to choose passwords that could be easily guessed by attackers, the Purism CSO continues. “System administrators followed Microsoft’s best practices without question and blamed users, not policies, for bad passwords that resulted,” notes Rankin. He states that many system administrators also applied the same Active Directory password rules to online accounts. However, no consideration was given to the consequences this would have for users and how users would follow these rules. Rankin says there is another reason that Microsoft is opting for a passwordless future. Namely that this future depends on trust in the hardware and supplier of the operating system. For example, Windows 11 requires the presence of a TPM (Trusted Platform Module). “This requirement puts even more control over your hardware in the hands of Microsoft. It’s another step towards making desktops and laptops as limited as phones are,” Rankin warns. “In the name of security and convenience, your computer will be less and less yours.”