When Windows 10 first appeared on the scene, it already allowed users to set up PINs instead of passwords. That login method used to be optional, but now Microsoft has decided to replace passwords with PINs entirely.
The company wants to shake things up with the next version of Windows 10, currently known as 20H1. Set to arrive sometime within the next month or two, the latest update has many surprising changes in store.
Most notable is Microsoft’s decision to do away with passwords in favor of PINs. But what does it mean for Microsoft 10 users and security in general?
Why is Microsoft Switching to PINs?
Passwords are a universal authentication method. You can use passwords for most devices, apps, websites, and software like Windows. And yet, passwords are not the most secure method of authentication. Sometimes they are so easy one can guess them. If not, there are plenty of different ways to crack passwords.
If a password gets compromised (which is often the case thanks to data breaches), then multiple devices and accounts are at risk. When it comes to a Microsoft account, it means the attacker has access to everything that’s linked to that account. Which, among other things, can include confidential documents, notes, apps, emails, and credit card info.
Meanwhile, a PIN secures only the device you use it on. Microsoft doesn’t sync PINs across devices, doesn’t store it on their servers, and never sends it over the network connection. This is why Microsoft chose to go with this option. Diana Huang, director of engineering for Windows security, explained it further in this post.
She said that passwords are symmetric keys, and “there is always a server which keeps track of your password or the symmetric key.” PINs provide entropy encryption and don’t stay on a server but the device instead.
Microsoft stores the login PIN locally on a tamper-resistant TPM chip. They use robust encryption to ensure it stays tamper-proof. Whenever you enter the PIN, the TPM salts it to create a hash. It is then checked against the value stored on the device.
Currently, passwords are also hashed, but they’re also easy to crack. The situation is different with PINs, as this Microsoft post also explains in detail.
The Advantages and Disadvantages of Using a PIN
PINs are simple, and they aren’t a new form of authentication. Even the way Microsoft is now aiming to use them isn’t a new form of security.
Many had used PINs before the internet became a daily necessity, and even after that. And after all this time, they are still a secure form of authentication because:
- They are stored locally on the device and aren’t transmitted online.
- The PIN is backed by hardware encryption on devices that have a TPM (Trusted Platform Module) chip installed.
The most significant advantage of a PIN is that no one can steal it in a data breach. Malware or spray attacks can’t harm them either. Even if the pin becomes compromised, the attacker still wouldn’t be able to do anything with it unless they have access to that device.
One of the only ways that someone could access a Windows account with a PIN is if they see someone enter it and then steal the device.
Meanwhile, it’s possible and easy to steal passwords. Companies store them on separate servers and send them over the internet. PINs don’t have that problem.
That said, there’s still one big caveat to this. Some viruses and malware grant the attackers full access to the device. So a hacker wouldn’t even need direct access to the computer to compromise it. So while the new Windows PIN system is much safer than passwords, don’t make the mistake of thinking it’s infallible. A false sense of safety breeds complacency.
Even though PINs are more secure, Windows 10 users still need to be vigilant and protect their devices from outside attacks or theft.
Does The Future of Passwords Look Bleak?
Not entirely. Despite Microsoft’s drive to drop passwords, they’re still the most usual form of authentication. At least for now. Other authentication methods like fingerprint and face recognition are creeping up. But they are still far from being mainstream.
So for now, insecure or not, passwords remain the top dog of authentication. But that doesn’t mean people can’t stay safe while using passwords.
Massive data breaches aside, many people can blame themselves for being hacked. The majority has terrible password habits, including using common and simple passwords. And, of course, many reuse the same password across all their accounts.
Some tools exist and can help alleviate that problem. For example, password managers let people create plenty of complicated passwords without having to remember any of them. They only have to remember one master password. It already solves a lot of the problems associated with passwords.
Password managers aside, it’s also crucial to follow basic cybersecurity practices. It’s essential to avoid threats like phishing attacks. That’s another popular method hackers use to steal passwords.
Moreover, 2FA is becoming more mainstream. Some platforms, for example, Yahoo, already use temporary passcodes instead of passwords. It guarantees that a compromised password alone doesn’t give cybercriminals easy access to the accounts.
PINs might be the new future for Microsoft, but the rest of the world is still very much in the “password” camp. So even though the switch to PINs is unavoidable on Windows, passwords are still relevant, and so are the safe password habits.
Microsoft is making the switch to mandatory PINs for Windows soon, and that’s a good thing. Using a PIN is a much safer way of securing devices and Microsoft accounts. That said, passwords won’t disappear entirely for the rest of the world, even if the Windows ecosystem decided to go further without them.