When Windows 10 first appeared on the scene, it already allowed users to set up PINs instead of passwords. That login method used to be optional, but now Microsoft has decided to replace passwords with PINs entirely.
The company wants to shake things up with thenext version of Windows 10, currently known as 20H1. Set to arrive sometimewithin the next month or two, the latest update has many surprising changes instore.
Most notable is Microsoft’s decision to doaway with passwords in favor of PINs. But what does it mean for Microsoft 10users and security in general?
Why is MicrosoftSwitching to PINs?
Passwords are a universal authenticationmethod. You can use passwords for most devices, apps, websites, and softwarelike Windows. And yet, passwords are not the most secure method ofauthentication. Sometimes they are so easy one can guess them. If not, thereare plenty of different ways to crack passwords.
If a password gets compromised (which is oftenthe case thanks to data breaches), then multiple devices and accounts are atrisk. When it comes to a Microsoft account, it means the attacker has access toeverything that’s linked to that account. Which, among other things, caninclude confidential documents, notes, apps, emails, and credit card info.
Meanwhile, a PIN secures only the device you use it on. Microsoft doesn’t sync PINs across devices, doesn’t store it on their servers, and never sends it over the network connection. This is why Microsoft chose to go with this option. Diana Huang, director of engineering for Windows security, explained it further in this post.
She said that passwords are symmetric keys, and “there is always a server which keeps track of your password or the symmetric key.” PINs provide entropy encryption and don’t stay on a server but the device instead.
Microsoft stores the login PIN locally on atamper-resistant TPM chip. They use robust encryption to ensure it staystamper-proof. Whenever you enter the PIN, the TPM salts it to create a hash. Itis then checked against the value stored on the device.
Currently, passwords are also hashed, but they’re also easy to crack. The situation is different with PINs, as this Microsoft post also explains in detail.
The Advantages andDisadvantages of Using a PIN
PINs are simple, and they aren’t a new form ofauthentication. Even the way Microsoft is now aiming to use them isn’t a newform of security.
Many had used PINs before the internet becamea daily necessity, and even after that. And after all this time, they are stilla secure form of authentication because:
- They are stored locally on the device and aren’t transmitted online.
- The PIN is backed by hardware encryption on devices that have a TPM (Trusted Platform Module) chip installed.
The most significant advantage of a PIN isthat no one can steal it in a data breach. Malware or spray attacks can’t harmthem either. Even if the pin becomes compromised, the attacker still wouldn’tbe able to do anything with it unless they have access to that device.
One of the only ways that someone could accessa Windows account with a PIN is if they see someone enter it and then steal thedevice.
Meanwhile, it’s possible and easy to stealpasswords. Companies store them on separate servers and send them over theinternet. PINs don’t have that problem.
That said, there’s still one big caveat to this. Some viruses and malware grant the attackers full access to the device. So a hacker wouldn’t even need direct access to the computer to compromise it. So while the new Windows PIN system is much safer than passwords, don’t make the mistake of thinking it’s infallible. A false sense of safety breeds complacency.
Even though PINs are more secure, Windows 10 users still need to be vigilant and protect their devices from outside attacks or theft.
Does The Future ofPasswords Look Bleak?
Not entirely. Despite Microsoft’s drive todrop passwords, they’re still the most usual form of authentication. At leastfor now. Other authentication methods like fingerprint and face recognition arecreeping up. But they are still far from being mainstream.
So for now, insecure or not, passwords remainthe top dog of authentication. But that doesn’t mean people can’t stay safewhile using passwords.
Massive data breaches aside, many people can blame themselves for being hacked. The majority has terrible password habits, including using common and simple passwords. And, of course, many reuse the same password across all their accounts.
Some tools exist and can help alleviate that problem. For example, password managers let people create plenty of complicated passwords without having to remember any of them. They only have to remember one master password. It already solves a lot of the problems associated with passwords.
Password managers aside, it’s also crucial to follow basic cybersecurity practices. It’s essential to avoid threats like phishing attacks. That’s another popular method hackers use to steal passwords.
Moreover, 2FA is becoming more mainstream.Some platforms, for example, Yahoo, already use temporary passcodes instead ofpasswords. It guarantees that a compromised password alone doesn’t give cybercriminalseasy access to the accounts.
PINs might be the new future for Microsoft, but the rest of the world is still very much in the “password” camp. So even though the switch to PINs is unavoidable on Windows, passwords are still relevant, and so are the safe password habits.
Microsoft is making the switch to mandatoryPINs for Windows soon, and that’s a good thing. Using a PIN is a much safer wayof securing devices and Microsoft accounts. That said, passwords won’tdisappear entirely for the rest of the world, even if the Windows ecosystemdecided to go further without them.