I have so many problems with the slanted narrative presented in this article. I think I now understand why Microsoft is pushing the end of passwords. My theory:
1) It’s popular.
2) Their perspective is limited to broad-scale user culture. They are ignoring how effective traditional guidance is for the minority of users who care enough to adopt it.
Absent this article’s slanted narrative, the conclusions from the actual facts presented are more appropriately:
1) Yes, password hygiene matters.
2) No, your password strength will not save you if you are going to give it away.
Corrections to the table:
Attack | User assists attacker by . . . | Does your password matter? |
Credential Stuffing | Reusing passwords. Using poor passwords. | YES – Don’t reuse passwords for accounts you actually care about. YES – The majority of credentials obtained are through database extraction and brute force hash cracking, in which case the author clearly shows password strength matters – a lot. |
Phishing | Anyone can fall for a good spearphish. However the majority of phishing is easily overcome with basic awareness. | No – user gives the password to the attacker, and I’ll point out that MFA is easily overcome in this case as well. |
Keystroke logging | Clicking links, running as administrator, not scanning for malware. | Irrelevant - you are already compromised. |
| | |
Extortion | Being human. | No – exact password disclosed and absolutely nothing else will protect you in this case either so I’m not sure why it’s relevant. |
Password spray | Being human lazy. Using common passwords such 123456 or password | YES – Don’t use short, lazy, common passwords. |
Brute force | Using weak passwords. | YES – as clearly shown below, password strength makes all the difference against this common bulk-credential theft vector. |
To be clear, I am not arguing that passwords are the only way. I do use 2FA and do believe we should move to more modern authentication mechanisms. I even applaud Microsoft for their vision and for looking for ways to make secure authentication simple for everyone.
AND I think we should make rational, thoughtful communications about next steps rather than create media hype that subverts today’s good guidance. Contrary to popular belief, passwords are not the root of all evil. They are still necessary, and good password guidance is necessary to follow.