There were always going to be lots of news stories about passwords this past week, what with May 1 being World Password Day. Some were shocking but not altogether unexpected, such as the latest infostealer malware disclosure concerning 1.7 billion stolen credentials being put up for sale in criminal marketplaces. Others were, frankly, gobsmacking in their nature. I mean, how else would you describe Microsoft calling the ability to use old passwords to unlock accounts as a feature, not a vulnerability? And then, dear reader, there was the surprise announcement from Microsoft confirming the sudden disappearance of Windows account passwords altogether starting May 1. Here’s what you need to know.
No More Windows Passwords
If you have picked up one thing from World Password Day, then it should be that passwords are bad, m’kay. Heck, how many bad news stories do you need to read before that realization sinks in? Microsoft is certainly no stranger to the danger of weak credentials, issuing an April 23 warning about password spraying attacks by a group known as Storm-1977. Microsoft itself has been trying to get users to move to more secure authentication technology, such as passkeys, issuing advisories urging that Windows users replace their passwords. That move towards a passwordless experience has just taken a massive surge forward.
In a May 1 announcement, Microsoft confirmed that it is suddenly removing passwords from all new Windows accounts with immediate effect, and making them passwordless by default.
We’re changing the default behavior for new accounts,” Microsoft’s president for identity and network access, Joy Chik, alongside Vasu Jakkal, the corporate vice president for Microsoft security, said. All new Microsoft accounts will now be password-free by default. “New users will have several passwordless options for signing into their account,” Chick and Jakkal continued, “and they’ll never need to enroll a password.”
This will be accompanied by an automated process called passwordless-preferred sign-in. Microsoft has said it will determine the optimal method of securely signing in on your device and present it to you by default. “If you have a password and one-time code set up on your account, we’ll prompt you to sign in with your one-time code instead of your password,” the announcement confirmed. Once you are securely signed in, however, you will then be prompted to enrol a passkey, and this will be used for future sign-in prompts. Windows is about to get a lot safer, thanks to disappearing passwords.
