Microsoft's CISO Wants To Eliminate Passwords
In the attached article Microsoft’s CISO Bret Arsenault discusses why he is moving Microsoft users away from passwords. He talks about hackers still getting effective use out of “password spraying” which described “an old-school method, where an attacker tries to access a huge number of accounts at once using some of the most commonly used passwords.” He suggests the only way to effectively defend against this type of attack is to get rid of passwords. He may have a point; passwords are grossly ineffective especially when it is use as the only form of authentication. But it got me to wondering, sure eliminating passwords is a great thing to do from an asset or network authentication perspective to protect the company, but if we are truly to live in a password-less society there is still a lot to be done from an application perspective before we can completely move away.
I have used biometrics to access my personal laptops for years but I still have to authenticate with a user name and password to practically every site I go to, the exception being of course my phone where many mobile applications, from some of the same sites, incorporate fingerprint or facial recognition features. The average end user will still have plenty of passwords to remember. In addition, I think there will always be a need for a backup authentication method, which I think would still be a user name and password. I can’t tell you how many times my hardware has failed, and I needed that user name and password to access my device.
Bottom line, I am certain that passwords are ineffective and end users at times can be lazy creating easily guessable passwords that put the entire network at risk. However, we still have a long way to go before eliminating our conditioning and dependence on them.