Microsoft CISO Says Passwords Are Useless

Microsoft Wallet App To Be ‘Retired’ On Feb. 28

Microsoft‘s chief information security officer (CISO), Brett Arsenault, believes that when it comes to protecting companies and individuals from cyberattacks, passwords are typically useless.

He should know: Microsoft handles 6.5 trillion cybersecurity incidents each year, with spam email, scams and phishing schemes making up most of those attacks. In fact, he explained that email-based and password-based hacking are responsible for everything from simple to highly-complex frauds.

“We all sort of declared years ago that identity would be our new perimeter. People are very focused on taking advantage of identity, it’s become a classic: hackers don’t break in, they log in. I see that as a huge, huge thing for us to work on,” said Arsenault, according to CNBC.

“Password spraying,” where an attacker works to access a large number of accounts at once through the most commonly used password, is a method Microsoft encounters regularly.

“The reality is, we still see a lot of attempts of people trying to password spray. The best way to protect against the password spray is to just eliminate passwords,” explained Arsenault. “If you have passwords, you have to enable multi-factor authentication” — that is, using a password in combination with another form of identification, like a random set of numbers texted to the user’s phone. And so the thing that we are seeing is lots and lots of people just focused on eliminating that whole vector.”

With that in mind, Arsenault said that 90 percent of Microsoft’s employees can log on to the company’s network without a password, part of the “passwordless future” the company has been actively promoting. Instead, Microsoft employees use options such as Windows Hello and the Authenticator app.

While Microsoft wants to eliminate passwords entirely, other tech companies simply want their customers to rely on them less. Google has been looking into using USB key fobs to provide a second factor of authentication for logging in.  And Cisco acquired dual-factor authentication startup Duo last year to move closer towards two-factor authentication for its customers.