#75: Mind your P@assw0rds

Posted on May 9, 2025 by ewand

Be honest: when you sign up for some website, do you just use the same email address / password? If so, you’re not alone – around three-quarters of people reuse the same passwords, even though most know they really shouldn’t.

A CyberNews study of over 19 billion exposed passwords shows that many are weak and easy to guess, too – the most popular passwords for the last 15 years are, basically, “123456” and “password”. Some of the more high-profile security breaches have come about directly because of weak and compromised credentials.

ToW has talked about passwords a bit in the distant past – #620, #656 in the old days, and most recently, #33 – Securing your Microsoft Account (MSA). If you haven’t done so already, go right now to that last link and set up Multifactor Autthentication (MFA) on your Microsoft Account.

Authenticator being Edged out

Like Google Chrome, Firefox and pretty much every modern browser, Microsoft’s Edge can offer to generate nice complex passwords for you. It also has a password store which can automatically fill your usernames & passwords next time you revisit websites, so you don’t need to remember them or write them down, and synchronise them between different devices logged in with the same ID.

A screenshot of a computer screen

AI-generated content may be incorrect.

In shock news bordering on marginal enshittification, Microsoft has decided to remove a useful component of the Authenticator app that it prefers to use for managing 2FA/MFA on its various types of logins.

Thus far, if you have Authenticator set up with your Microsoft Account or an Entra ID, you can sync your passwords from the PC and be able to review them in the app, just as you would by going to Settings / Passwords options in the desktop Edge browser (or entering edge://wallet/passwords into the address bar).

A screen shot of a phone

AI-generated content may be incorrect.

This means that it can be handy to find a username/password when you’re mobile, in case you need to enter it manually, but also it allows Authenticator to provide an “autofill service” for other apps on your device, not just web pages. When you get unceremoniously signed out of an app just because it’s been automatically updated, the autofill service can recover and re-enter your username and password.

It’s this bit that is being yanked from Authenticator – for reasons unknown, other than “Microsoft is streamlining autofill”. Maybe nobody uses it? Maybe Microsoft would prefer anyone who does use Edge on their PC and who wants to access passwords while mobile, to be compelled to use Edge on their Phone also?

Similarly, Payment info that is synced from browser to Authenticator will be removed in July 2025.

A screenshot of a phone

AI-generated content may be incorrect.

The workaround (other than moving to a completely different password management system) is indeed to switch autofill provider on your phone to use Edge instead (having first installed it and synced it with your ID, if you haven’t already). In mitigation, the mobile versions of the browser are pretty good, and if you do use Edge on the PC or Mac, it makes sense to sync stuff across to your phone as well.

The password autofill is pretty much indistinguishable when using Edge in place of Authenticator. The UX for password management, however, isn’t so good (go into mobile Edge, Settings, and look for Passwords) but maybe that’s the price of progress?

656 – Sign-in around the world

Posted on November 11, 2022 by ewand

Childhood games sometimes revolved around the goodies and the baddies. Early Western movies often had the convention of good guys wearing white hats and villans wearing black; if nothing else, it helped the viewer distinguish who was who in a fast-moving fight scene when the film is shot in monochrome.

White hat and Black hat are also terms given to computer hackers, the black hats being figuratively worn by criminals trying to break in to systems for nefarious gain, whereas the white hat hackers do it so they can report vulnerabilities and make things more secure. As ever with computing, there are also many shades of grey.

In your own technology environment, you probably never see the bad actors until you are dealing with the aftermath of a security breach. Check that your common usernames and passwords are not being circulated around, by using the Password Monitor in Edge and look for known leaks at Have I Been Pwned.

If you use a Microsoft Account (also known as MSA, commonly identified with domains like outlook.com, hotmail.com, live.com etc), then it’s a good idea to make sure it has a complex password and most importantly that muti-factor authentication is enabled. See best practices for managing your MSA.

If you’d like to scare yourself, take a look at the activity history for your MSA – here – and you’ll probably see lots of attempts to sign in from places you’ve never been to, if it was even possible to have visited them in the timeframe of the activities.

Hopefully all the unrecognized tries to sign in have been denied… maybe it’s a good time to log in to any old Hotmail.com etc accounts you may still have, just to make sure they are secured appropriately?

It used to be considered a good idea to change passwords regularly, but in recent years that has been discouraged. It would be safer to have a long, complex password which is unique for each website or account you use, probably hooked up with a password manager and authenticator app. You could even remove the password altogether and use only multi-factor authentication.

MFA – or 2FA – isn’t perfect, though. El Reg reports on a very real threat to enterprise security, described as “MFA Fatigue” – when an administrator of a system who normally has to use MFA to access it, is bombarded by authentication prompts at times they don’t expect.

Human nature might assume the system is playing up, and eventually hit “Approve” on the MFA screen, to stop the annoyance.

Microsoft’s security prouct group has some advice on how to protect users from MFA Fatigue Attacks and has released a bunch of updates to the Microsoft Authenticator app and the back-end services to hopefully make it less of a threat.

The primary problem with all IT security though, ultimately sits between the keyboard and the chair.

620 – Change your P@ssw0rd!

Posted on March 4, 2022 by ewand

Bad Actors are all over the internet (not just in your local multiplex), mostly aiming to gain access to data and systems for nefarious purposes, though sometimes they try to do good. Data breaches generally start with the weakest link in the chain: PEBKAC, in other words, It’s Your Problem.

Identity protection company SpyCloud reports that more than two-thirds of passwords which have been breached online are still in use and most users still have the same username and password combo across multiple accounts. If you want to keep your own personal identity and data safe, it’s job #1 to make sure you have unique passwords for each website you use, and that the passwords are not made up of guessable words or phrases.

The Edge browser gives you some tools to manage your passwords better – look for the Password Generator, or the drop-down Suggest strong password option, when you’re registering a new sign-in, and it will generate a long and complex password, stored in your account so in future you can be automatically signed in.

Some sites don’t trigger the password generator or suggestion – perhaps due to how they describe or display the password field(s) – so another option is to use a browser extension like btPass – numerous others are available. It simply drops an icon on the browser toolbar and will show a password of varying complexity and length, which can be quickly copied to the clipboard and pasted into password fields. Since some sites don’t like special characters in the password, you can tweak or edit the text it creates.

Security software company F-Secure has launched a free online password generator, if you’d prefer to create your secrets that way.

The Manage passwords option seen in some password drop-downs – also available from the settings menu or by entering edge://settings/passwords into the address bar – gives access to Password Monitor, which warns you if passwords you have saved are known to have been breached, and can display a list of the sites where your previously-set password has been found in a trove of hacked accounts.

You can quickly check the password used and decide to visit the page to change it – assuming the site still exists – or simply ignore it (on the assumption that you’ll be cleaning up and not using the compromised passwords on any sites you still want to actually visit).

If you install Microsoft Authenticator on your phone and sign in with the same account as you use in your browser, the saved passwords will be available through Authenticator too – so having very complex passwords should be no barrier to usability any more.