1/ Did you know that even if you always use FIDO security keys or an authenticator app to login, an attacker can still target the password you forgot you had? Reasons why you might choose to delete your
password (a thread)
password (a thread)
2/ Transparency: I am an identity geek at Microsoft and we now support password deletion for our consumer accounts: microsoft.com/security/blog/…. This is my attempt to outline *why* this kind of feature is important, here we go…
3/ #Cyberattacks like password spray and #CredentialStuffing can still be successful for attackers if you previously set your password to something predictable or reused the password at other sites. Deletion takes guessing and replay out of the attacker toolbox for your account.
4/ Sometimes, legacy software is still configured to ask for your password behind the scenes. If you don't have a password, you know that these old legacy systems will not operate. This is good, because guess who targets those old legacy clients? Attackers!
5/ BTW, reduction of password-only clients must be a joint priority between identity departments and backend services before password deletion goes live. Here is an entertaining progress report on this collaboration from my co-workers at RSA 2020:
6/ Attackers sometimes convince help desk agents to reset passwords based on social engineering. It gets harder to convince your help desk to reset your password when you don’t have one. Multiple factors should be pre-requisite to delete, so the 'oopsy' defense is tougher too
7/ The risk gets even higher for demo accounts. The temptation to set your demo passwords to something stupid is astronomically high, yet an attacker could compromise your demo account first and then use that foothold to move into areas of value.
8/ (Incidentally, there is no greater pleasure than giving a demo where every single user login is selected from the chooser menu of a single FIDO2 security key without typing a single username or password, but that will have to be a different thread )
9/ So far, I am mostly talking about removing yourself from the opportunistic attack pool. But let’s talk about philosophical goals for a second. You might be the kind of person who prefers to know that should you be hacked, it was by a discerning attacker!
10/ You definitely could still be attacked, but hopefully the cost is higher; the bloody-minded of you might enjoy that. If you want to make yourself an expensive target for authentication attacks, a good analysis is here: aka.ms/Allyourcredsar…
11/ Also important: voluntarily deleting your password sends a message to vendors and IT departments that this capability *matters*, and that you as an individual want to see advanced #Infosec features like password deletion adopted more widely.
12/ There are also reasons to keep a password around! The difference between deleting a password and intentionally scrambling a password into a long and random sequence of characters is (other than philosophically) small to me but maybe others have insight here?
13/ My hope for the future: enough deleted passwords might hasten a UX tipping point where passwords are (dare I say) not the presumed default experience. Yes, I know this shows a debilitating tendency towards optimism, but it’s my thread and I can dream!
14/ If you want to be an early adopter of password deletion, you should go into it with your eyes open. FWIW I recommend going #passwordless first, and then spending a month making note of any place where only a password works. At that point will be better informed.
15/ I personally believe password deletion is a unique and important feature, and proof that we are doing the security work behind the scenes across Microsoft to eliminate legacy authentication.
16/ I am proud that we have exec sponsorship from the top all the way down to prioritize critical work like password deletion, and I hope we can share our learnings with other platforms who have the same goals. But enough about me, what do YOU all think?
17/ Appendix: if you want more information on the many ways passwords can be attacked, check out the blog by @Alex_T_Weinert called aka.ms/yourpassworddo…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
