There’s no shortage of security people who will tell you that passwords are broken. It’s also not a coincidence how many of them sell products to supplement or replace passwords. Microsoft just announced that the passwordless future is here. In their announcement they make it clear that passwords are broken, and they should know–they broke them!
This passwordless future requires that Microsoft follow in Apple’s and Google’s footsteps in deciding which software you are allowed to run on your computer. These vendors don’t trust you to manage your own security, instead they want you to hand all trust over to them. Without them in control, they don’t believe your hardware can be trusted and untrusted hardware isn’t allowed to login to the passwordless future. As more vendors follow in Microsoft’s footsteps to implement passwordless logins, they too will anchor their trust in the hardware and ultimately in Microsoft (or Apple or Google). In the name of security and convenience your computer will be less and less your own.
In my talk “Sex, Secret and God: A Brief History of Bad Passwords” (slides here, full talk here, short Ignite-style version here), I elaborate on the history of bad password policy that has led to the problems with passwords we have today, and propose some modern solutions. Something I don’t spend much time discussing in that talk, is just how directly Microsoft is responsible for enabling decades of bad password policy.
Microsoft’s Active Directory, which let IT administrators control workspace computers and enforce policies from a central location, encouraged and enabled the worst aspects of bad password policy. As Microsoft published and updated their password policy “best practices” over the past couple decades, IT administrators could enable them with a few checkboxes and push them down to all employees. One of the first passwords many people ever had to remember was the one to log into their workstation, so these policies quickly became the gold standard for passwords everywhere, not just at work, especially given how often people reused passwords across accounts.
It was Active Directory that made it easy to enforce Microsoft’s recommended monthly or quarterly password rotations. Employees that forgot to rotate their passwords would find themselves locked out of their workstation one morning and have to walk over to the IT department to get their account reset. At one job I sat across from the Windows IT team and whenever I came to work before anyone from that team arrived and saw an employee standing at their cubicle, I knew exactly why they were there.
Each of these “best practices” like ever-increasing password complexity and password rotation I highlight in my talk as examples of what led to users picking bad passwords that were easily guessable by attackers. Administrators followed Microsoft’s best practices without question, and blamed the users, not the policies, for the bad passwords that came out of it. When it came time to extend password policies to online accounts, many administrators simply followed the same so-called “best practices” they used in Active Directory.
These policies were bad because they ignored how difficult they made life for users, and how users would follow these policies, and instead focused mostly on defeating dictionary attacks. If you asked an IT administrator why they were forcing people to add an upper case letter, numbers and a symbol to their passwords, they’d say something about the billions of password guesses it would take to crack such a password.
Attackers on the other hand focused almost exclusively on user psychology. Attackers understood the burden these policies placed on the user, and that if you made something hard for a user, they would pick the path of least resistance. If you asked an attacker about a policy that forced an upper case letter, numbers and a symbol, they’d tell you that the user will just upper-case the first letter of a dictionary word, and add the two numbers and a symbol at the end (something I refer to as a “password mullet”–upper case letter in the front, numbers and symbols in the back). So “password” becomes “Password89!”
The best passwords are truly random strings that are unmemorable, and because you should have a different password for each site you visit, that presents an almost-impossible situation for most people if it weren’t for password managers. With a password manager, you can store large numbers of random passwords in software, and only have to remember the password you use to unlock it.
Of course there still are a few passwords you need to memorize: one to get into your computer to begin with, and another to unlock your password manager. For those I recommend a simple policy: 12 character minimum, no password rotation and no complexity required, and encourage the use of memorable passphrases that are ideally even longer than 12 characters (favorite movie quotes or song lyrics for average threats, Diceware passwords for more serious threats).
This baseline 12-character minimum means folks won’t be tempted to reuse their insecure (but technically complex!) 8-character password mullets from other sites. Since we don’t rotate the password, customers are more likely to pick a strong passphrase since once memorized, they won’t have to throw it away in a month.
Of course even with a reasonable password policy, there’s still a chance someone might be able to guess a password, especially if, on the server side, you don’t add filters that reject passwords that are in public password databases. So that’s where multi-factor authentication comes in. The combination of a reasonably-strong password plus a “something you have” factor such as a USB security token like the Librem Key gives you extra protection even in the case the password gets compromised.
There is an extra reason that Microsoft is moving to a passwordless future. This future depends on anchoring trust in hardware and the vendor who provides the operating system. This passwordless authentication is actually multi-factor. The user uses biometrics to unlock a computer that has already been registered with the authentication service. When unlocked, the hardware will release a secret that it uses to authenticate. Someone who can mimic a user’s biometrics, in theory, wouldn’t be able to login as them without also having possession of their computer.
The security of this solution is anchored in the ability to trust the physical hardware, and the ability to trust the hardware is anchored in the OS vendor, Microsoft, who is providing the signing keys and enforcement software so that only code Microsoft trusts is allowed to run on the OS. This is another reason why Windows 11 will have a dependency on a TPM (Trusted Platform Module, a tamper-resistant chip on a computer that can store keys and perform basic cryptographic operations securely and independently from the main CPU). Knowing that all Windows 11 computers will have a TPM allows them to enforce that all Windows 11 hardware only runs software Microsoft has signed. This is the key to trusting that hardware, and having a trusted place like a TPM to store those secrets is critical.
This requirement puts even more control of your hardware into Microsoft’s hands. It’s another step toward making desktop and laptop computers as restricted as phones. This is the future I described in my recent post The Future of Computers: The Neighborhood and the Nursing Home.
The future of computers will be divided into neighborhoods and nursing homes. In the traditional neighborhoods, residents truly own their property, can repair and improve it themselves (or hire a professional), aren’t constantly under surveillance, and they and their guests can come and go as they please. These residents will control their own security and be able to lock their doors with their own keys. Purism and the free software community at large lives in such a neighborhood, and we are building a future where you can continue to live in that neighborhood whether your computer is a desktop, laptop, phone, or server.
Outside of these neighborhoods there will be a selection of nursing homes owned and controlled by a few wealthy landlords. Residents will have cooking and cleaning done for them, but they will also be under strict rules and surveillance at all hours of the day and told it’s for their own safety and security. Yet the home these residents live in won’t be their own. Their choices, their actions, their lives will be governed by others.
Where do you want to live?
It doesn’t have to be this way. Anchoring trust in something you (and only you) know puts you in control. Passwords are broken only because of bad password policy. With the right tools and the right policy, passwords are still a viable and secure way to authenticate along with strong multi-factor authentication. While these other authentication approaches may have their place, I suspect the motivations behind many of them are less about increasing security, and more about increasing control.