Above: Illustration by krulua/123RF

BitDepth#1321 for September 27, 2021

“Nobody likes passwords,” wrote Vasu Jakkal in a blog post released on September 15.

“They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives— from email to bank accounts, shopping carts to video games.”

Jakkal would know. She’s the corporate vice president at Microsoft with responsibility for Security, Compliance & Identity.

“We are expected to create complex and unique passwords, remember them and change them frequently, but nobody likes doing that either,” Jakkal wrote.

“In a recent Microsoft Twitter poll, one in five people reported they would rather accidently ‘reply all’— which can be monumentally embarrassing— than reset a password.”

According to Bret Arsenault, Microsoft’s chief information security officer, “Hackers don’t break in, they log in.”

And Arsenault would also know about that, because Microsoft is still grappling with the Nobelium attack on its Exchange servers, which affected the Solarwinds company and led to rolling breaches since 2020 before it was patched.

A Microsoft Power Apps breach was identified in May, which exposed 38 million health records of personally identifiable information across 47 organisations.

The flaw was patched in June.

Good security authentication practice suggests that two factors are best for securing access. That’s distilled into the credo, something you know and something you have.

One less than clunky example of this is the Entrust app used by RBC to secure access to banking accounts.

To log into the system, you must use your user ID, a password and a random number generated by the Entrust app that’s only active for 30 seconds. It takes a bit of nimble finger tapping on a mobile device, but it works once you get the muscle memory down.

Microsoft’s response is a new Authenticator app for Android and iOS which it made available to business customers in March.

The app does what it promises after you’ve set it up on your mobile device.

Logging into a Microsoft account on the desktop offers up a number and sends a notification to the app.

A screen with three possible numbers appears there, and touching the right one authenticates for entry.

As a system, it works pretty seamlessly and the app itself is essentially invisible, but unfortunately there are limitations.

Microsoft’s authenticator doesn’t work with old versions of Office for Windows or Mac, mail services using IMAP or POP, and any Windows version earlier than version 10.

Microsoft isn’t the only game in town for securing systems and devices using another device, nor is it alone in embracing the challenges that current password systems pose for users.

For many users, the constant requirement to unlock phones, tablets and laptops leads to very basic passwords being used to access them.

For others, alternative systems, such as fingerprint readers and facial recognition don’t work properly on the device they own, so they end up falling back on passwords that are too simple.

Apple’s Watch system unlocks devices through Bluetooth proximity and the fingerprint and facial recognition systems on their mobile devices works well.
But there’s still a significant gap between company-mandated security and personal tolerance when it comes to password protection, and let’s just admit it, multi-factor authentication can be painful the way its usually implemented.

Some users rely on password lockers, such as KeePass. Apple has bundled a password locker, Keychain Access, on its Macs for decades, but few users notice or make use of it.

For passwords, which remain a pervasive presence in our lives, I favour long, run-on sentences leavened by capitals and punctuation that are blindingly obvious to me but gibberish to anyone else.

So ‘iloveplayinggolFAtsunset’ is much better than relying on the default ‘password123’ that some people still leave active on their systems.

Start with improving your password game and then consider alternative authentication measures that lighten the password entry burden.