W10 lost password

jamesd

Windows passwords support password reminder text. Best to use it. In user or password settings page.

[Deleted User]

jamesd said:

Windows passwords support password reminder text. Best to use it. In user or password settings page.

Password reminders not the best for security at all.

The best for security purposes is using a Microsoft account with a complex password and 2FA. If you ever forget your password you can reset it using a secondary device for authentication such as the Microsoft authenticator app installed on a phone or a text / email message.

If you want convenience you can make use of the PIN feature instead for logging on to your PC which will encourage you to use a more complex password.

Although a PIN sounds less secure than a password at first sight, they actually have some security advantages because they cannot be brute force attacked like a password. You have only 4 attempts before Windows will ask for an alternative authentication so somebody can't just keep typing different PIN's for an hour in the hope of guessing the right one like a password. The PIN is also hardware locked to that device and stored encrypted in the TPM which also resists brute force attacking and the PIN can't be used to gain access to your Microsoft account from elsewhere or intercepted when being transmitted over the internet for authentication. And finally cannot be used to remotely access your device - you must be physical present to use the PIN unlike a password that can be used via a remote connection.

Even better use a fingerprint or facial recognition if the device supports it.

We all know long and complex passwords are better but they just aren't convenient, mine is about 40 characters long for my Microsoft Windows account but I never need to type it and I'm not worried about forgetting it.

Most people do all the above with their phones nowadays anyway so no reason not to with a PC.

But there seems to be a lot of fans of local accounts on these forums but this means your password is stored on your hard disk and can be brute force attacked remotely and offline without access to the machine itself - all in a matter of hours for the average 8 character password.

IvanOpinion

While tallmansix has given some great advice there are a couple of things I would maybe disagree with.

'Complex' passwords in themselves can be a security risk since it is more likely that these need to be stored somewhere or, worse still written down. Their complexity also means that they may have to be changed more frequently which opens up another attack vector.

The most important thing about any password is length, the longer you can make it the better.  If you use long passwords you don't need to worry about including random characters, special characters etc. since any cracking tool would have to be automated and when that happens there is no added benefit to having complex passwords from such tools since they check the entire ASCII character set (which means dictionary words and random text can be cracked in the same time).

So minimum length should be at least 12 characters (preferably 16+) mixed case alpha numeric.  By all means include some numerics and special characters but they are not a necessity.  We generally suggest 3 words of 5 characters or more concatenated e.g. "JumperUnderscoreBanana". Another tip I have seen is make one of the words a non-dictionary word or deliberate spelling mistake.

While they are no longer considered secure hint text and security questions can still be useful. For security questions the last thing you should use is the answer to the question being asked.  So, for example, if it asks for your mothers maiden name use your first born's middle name and then remember that is how you answer that question (just be consistent across sites).  

With hint text you could use (e.g.) a 9 digit number.  The number itself is meaningless but maybe one or 2 digits provide a clue towards the password.  e.g. digit 7 is the hint and if it is a '5' it means that you use the password starting with 'E'.  This may sound complex but most people have a good ability to pattern match.


When it comes to mobile phones, most of this is irrelevant since there are much easier and quicker ways of gaining access.

jamesd

[Deleted User] said:

jamesd said:

Windows passwords support password reminder text. Best to use it. In user or password settings page.

Password reminders not the best for security at all.

The best for security purposes is using a Microsoft account with a complex password and 2FA. If you ever forget your password you can reset it using a secondary device for authentication such as the Microsoft authenticator app installed on a phone or a text / email message.

If you want convenience you can make use of the PIN feature instead for logging on to your PC which will encourage you to use a more complex password.

That isn't much extra protection because anyone with physical access can get in in five minutes using the lock screen method. Or maybe faster using a USB boot drive.

Password reminders, password reset disk and using a Windows account instead of a local account are all good moves to enhance the low level of security provided. So would be a USB fingerprint sensor for logging in that way.

Personally, I use PIN with a Microsoft account, recovery code and second factor for recovery.

grumpycrab

My 2p worth on passwords. (sorry if moving away from subject) Use a password manager/generator. Bitwarden is a current favourite because its free.

[Deleted User]

jamesd said:

[Deleted User] said:

jamesd said:

Windows passwords support password reminder text. Best to use it. In user or password settings page.

Password reminders not the best for security at all.

The best for security purposes is using a Microsoft account with a complex password and 2FA. If you ever forget your password you can reset it using a secondary device for authentication such as the Microsoft authenticator app installed on a phone or a text / email message.

If you want convenience you can make use of the PIN feature instead for logging on to your PC which will encourage you to use a more complex password.

That isn't much extra protection because anyone with physical access can get in in five minutes using the lock screen method. Or maybe faster using a USB boot drive.

Password reminders, password reset disk and using a Windows account instead of a local account are all good moves to enhance the low level of security provided. So would be a USB fingerprint sensor for logging in that way.

Personally, I use PIN with a Microsoft account, recovery code and second factor for recovery.

True, I forgot to say add bitlocker to the disk then that stops all other methods of access. 

webjaved

grumpycrab said:

My 2p worth on passwords. (sorry if moving away from subject) Use a password manager/generator. Bitwarden is a current favourite because its free.

Bitwarden all the way! I absolutely love it!

jamesd

[Deleted User] said:

True, I forgot to say add bitlocker to the disk then that stops all other methods of access. 

That'll work, except it's not part of Windows Home editions and most probably won't want to buy a legitimate portable license key from ebay to get a cheap upgrade to those with it.

Then there's a balancing of risks to be done:

1. Can the user be trusted to keep the essential recovery key information secure, locking away the disk or printout or file so it isn't compromised?
2. Can the user be trusted not to lose their data by forgetting the PIN and not doing or losing the information in 1?
3. Are their backups less secure and compromised regardless?

In the case at hand it was clearly a low security situation since the children could provide the password, so a password reminder that might deprive the children of that knowledge would increase security against some casual access.

Over-estimating users can be hard. I helped out someone who lost all of their business files and wanted help getting them back. No encryption involved, they had just picked their backup account instead of their usual one and that didn't have their files on their desktop...

At nearly the complete opposite end of the credentials security spectrum I and single digit other people used to have root on a few hundred computers at a global top 100 web site, with all accesses by almost everyone done remotely since they resided in colos. Getting past SSH authentication was the first practical requirement to try compromising that. Even so, sudo saw a lot of use for things like site updates on every box rather than doing normal work with total access. These days two factor authentication is also required and access is controlled more granularly by role among other things.

(shrug) pick your use case and need and choose accordingly. A home user where kids know the password has different needs from a case where millions of people will think the internet is down if it goes offline.

[Deleted User]

All of the above concerns can now be totally avoided - Microsoft Accounts can at last be set to passwordless - this is the future, I've already done it for my account:

https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/

Absolutely no password to remember or forget!

Also can't be leaked or brute force attacked, nothing needs to be written down including my bitlocker encryption keys which are stored safely in my Microsoft account.

jamesd

Nice that they have done that, in part because it means that the password can no longer be used to try to get access to an account.

You've probably already done this but anyone doing it should ensure that they have at least two independent ways of getting in. Phone number and authenticator app on the phone is one if your phone is stolen and could leave you locked out of your account. Email based recovery is, I assume, available in that case.