Editor’s Note: For up-to-date resources on passwords and modern, phishing-resistant authentication methods, please visit the following:
Authentication methods and features - Microsoft Entra ID |...
Updated Aug 11, 2025
Version 27.0
Blog Post
Sorry but you just can NOT push Microsoft crazy marketing ideas and pretend like you know what you are talking about when it comes to security...
This "no passwords" thing you are pushing looks like Microsoft's typical stubborn behavior... like something you pushed in 1995. "Hide extensions of known files" - remember that? ITS STILL IN WINDOWS BY DEFAULT and it is spawned whole family of 100s of thousands of all kinds of malware that use it as an entry point into a system, how come no one mentions that security HOLE.
With spear-phishing that is planned right and some MITM, none of your authentication protocols would fare any better than a sole password.
Password DOES matter, and you can learn to create them, learn how to remember them on your own. There are ways of doing that and being completely secure while never forgetting multiple passwords (yes PERSONAL pass-phrases are a good solution but not the only one) and NO you DON'T need password manager to create or "store" them.
Where did you even get that "good password is only the one generated by password manager" are they paying you too?
It would help if Microsoft helped with completely removing limitations like 14 or 16 character passwords (256 character thing is not completely alive yet)
Also, for db extraction, IF you even manage to do it. your "100B hash a second" rig what is that for? MD5 or Microsoft's "pure" 64 bit "encryption"
Do 100 000 000 000 hashes a second for SHA-2 512, and what if I decide to salt hashes in DB like most do, while my users have at least 24 character phrases? You'll find it or its duplicate NEVER or in a really expensive big number of years (maybe phone NSA for help), and when you do you'll have to do it all over again.
MFA isn't "additional protection" or protection at all. MITM attacks can be used on it too, it's just an annoyance- for the user, not to mention having to buy Ms's most expensive enterprise E5 version of everything if want MFA to actually work all the time (not even going to explain it - look it up)
And what kind of HW/SW "protection" is going to protect you if systems used beneath are faulty by default/design?
What am I talking about? Well TPM decoding and/or storing certificates' PK might sound secure but if certificates that are used, utilize something like SHA-1 hash-ing protocol (designed and proposed by NSA - PROVEN to have BUILT-IN weaknesses, btw reason for all the "joy" of changing them all to SHA-2 few years ago)
Guess what, SHA-2 was also designed by NSA
Stop treating us like we are all idiots. No, it is NOT hard to learn to protect yourself. And if your friends call you "geek" or "nerd" for using your mind like normal human being, maybe find some new friends....