What the Microsoft password change means for charities

It’s the end of an era – 17 years after its founder Bill Gates predicted that passwords would eventually be phased out, Microsoft has announced that it is giving all accounts using Windows 10 or the upcoming Windows 11 the option to become a Passwordless Account. Instead, users will be able to log in via security key, SMS/email codes, or on the Microsoft Authenticator app.

Internally, more than nine in ten Microsoft employees already use Passwordless accounts, but now the change has been passed down to the rest of us. So what does it mean for our cyber security going forward? Passwords have been a key bastion of our security for so long – research shows that the average person has 100 of them (even if we often can’t remember them).

Charities are at particular risk of cyber threats, due to a mixture of limited resource and the wide range of data they collect as part of their work. Keeping up-to-date with cyber security best practice is crucial to preventing reputation-damaging attacks and keeping criminals out.

Here, we look at the whys and wherefores of choosing a passwordless account, and what to consider before following Microsoft’s lead.

Choosing a passwordless account

It may seem counter-intuitive to eschew the humble password, but cyber security experts often identify them as a root cause of cyber security attacks. The most common password is 123456, so easily crackable that it would take less than a second to expose.

People tend to use the same password across multiple accounts, putting them all at risk, while ‘conversation hijacking’ cyber threats are also on the rise (where criminals pose as a friend or colleague, inventing a pretext to get someone’s login credentials).

Choosing a passwordless account, therefore, can actually improve the security of your Microsoft account. Two-factor authentication (a password plus another verification step) reduces the risk of a breach significantly, but the risk from a guessed password still remains.

Microsoft says that “[as] long as passwords are still part of the equation, they’re vulnerable”, hence advising multi-factor authentication that doesn’t involve them.

Alternative logins do provide secure options. Biometric logins have become particularly popular options over the last few years, especially as smartphone ownership has grown. For example, Apple says their Touch ID function (which allows users to login using their fingerprint) has a one in 50,000 chance of letting someone else unlocking your phone.

Conversely, the chances of someone guessing a four-digit passcode is one in 10,000.

Similarly, receiving codes via email or mobile messaging requires you to have access to your devices and accounts at the right time – and users will generally know if they haven’t asked for a code if one pops up randomly, preventing unauthorised access.

Being mindful of digital exclusion

While a Passwordless Account could help those of us who find it difficult to remember our passwords (especially when following best practice and using different ones across different accounts), it also risks alienating older people or those without access to smartphones.

Around 8% of people in the UK don’t have access to a smartphone – that’s approximately 5.36 million people who simply won’t be able to use an app to access their accounts.

Furthermore, relying on SMS or email authentication can also open users up to phishing attacks, with users encouraged to click on links to reveal personal information. The Anti-Phishing Working Group reveals that about 200,000 new phishing sites crop up each month, impersonating more than 500 different brands and entities per month. Most of these scams – which increased by 440% in May 2021 – are sent by email or text.

The best way to combat this threat is to regularly train and educate staff and service members as to what a phishing scam looks like. The National Centre for Cyber Security also advises that organisations make it clear that phishing scams are difficult to spot and that mistakes happen. Employees are more likely to report incidents swiftly if they don’t fear reproach.

There is also the option of sticking with passwords. As mentioned above, implementing two-factor authentication can reduce the risk of a data breach and password managers, such as Okta, PasswordBoss, or LastPass, can help employees safely keep track of their different passwords in an encrypted database.

Whether Microsoft’s changes to their security procedures mark a new shift away from passwords or not, there is no need for easily guessable and weak passwords anymore. Make the most of the resources available and make your organisation as safe as possible from cyber threats.