Are Passwords Useless?

Category: Security

Brett Arsenault, Microsoft's chief information security officer (CISO), says passwords are 'useless' to protect against hacking and other cyberattacks. Why does the guy in charge of security for one of the largest corporations on the planet make such a statement? And what does he recommend? Read on...

Will a Password Protect Your Online Account?

Arsenault, who has been in charge of cybersecurity at Microsoft for a decade, says the company handles an astounding 6.5 TRILLION cybersecurity incidents each year. I thought that was a misprint, so I double checked. And yes, that's trillion with a "T". Those attacks come mostly in the form of email-based spam, scams, phishing schemes, and password-based hacking attempts.

The bad guys don't necessarily need to trick you into downloading malicious software, or exploit security vulnerabilities to gain access to your data. Instead, Arsenault says, “Hackers don’t break in, they log in.” Password spraying is a hacking technique where an attacker attempts to login to lots of accounts at once using some of the most commonly used passwords. And surprisingly often, it works.

So what's the best way to protect against password spraying? “Just eliminate passwords,” says Arsenault. That's the ideal, but it may not be possible in many cases to switch to other forms of authentication. So it's more accurate to say that passwords, by themselves, are useless. For those who must use a password, Arsenault has this advice: “If you have passwords, you have to enable multi-factor authentication.” I've written before about the importance of two-factor authentication, which is also referred to as "2FA" "two-step verification," or "enhanced login security."

Are passwords useless?

In a nutshell, it requires using a password, but in combination with another form of identification that's unique to you. See my articles An Extra Layer of Security, and [LOCKDOWN] How Authenticator Apps Protect Your Accounts.

Did you know that May 2 was World Password Day? It sounds like another of those "Hallmark holidays," but actually Intel declared the first Thursday in May as World Password Day back in 2013. Even though you missed it this year, any day is a good reminder to improve the security of your online accounts.

Another option is to enhance password security in these three ways: (1) Stop using easily guessable passwords like "1234567", "monkey", and "password". (2) Don't reuse passwords across multiple sites. (3) Use a password manager to help you generate strong passwords that you don't have to remember or type. My article Is Your Password on the Naughty List? includes a link to the "100 Worst Passwords of 2018" and also information on some of the best password manager tools available.

Arsenault encourages moving to a “passwordless future,” and already 90 percent of Microsoft’s employees log in without a password. This has been facilitated by the use of the Authenticator app and Windows Hello, which provides access to Windows 10 devices using fingerprints or facial recognition.

Google employees use another form of authentication, a little gadget called the Titan Key. I explained how it and similar devices work in my article Is Titan the KEY to Your Security?

What are you doing to improve the security of your online accounts? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 9 May 2019

For Fun: Buy Bob a Snickers.

Prev Article:
10 Easy Ways to Destroy Your Mobile Phone

The Top Twenty
Next Article:
Do You Have a Wifi Intruder?

Most recent comments on "Are Passwords Useless?"

Posted by:

09 May 2019

Not quite useless. A former employee wanted to log into my office software to get contact info of people she knew. Her old password no longer worked. Game over. She was angry, but that was all it took to avoid a data breach. Not everyone has advanced hacking skills.

Posted by:

Larry Mills
09 May 2019

I have an I8 iPhone which uses biometric protection. I hate it because I can only log on to my phone about 50% of the time using the fingerprint reader. My thumb is so razed by working with wood and glue that it is usually rough. I am interested in any protection device that will truly protect from hacker invasion, so I keep reading.

Posted by:

Paul S
09 May 2019

I have some hope SQRL developed by Steve Gibson will gain some traction this year. See and

Posted by:

09 May 2019

Passwords must be matched with the owners - for example Bill Gates' or Warren Buffet's bank accounts should have layer upon layer of validation. BUT in most of our cases who is going to target them SPECIFICALLY? I defy any scammer to long-hand phish my bank password - he would have had to know me from birth - otherwise it is going to take a decoder much much longer than the simple passwords that too many people do use? Then the criminal has to be in ACTUAL possession of my phone because a code valid for only 4 minutes is required to get into my account for transfering or stealing cash.

Posted by:

09 May 2019

The problem I have with many of these 2F mechanisms is they want a mobile phone which I don't have and if I did have would not always have with me (if I go out somewhere I don't want to be contacted).

My bank provides a chip reader that I need to set up new payees or make large payments and I don't need to do that away from home.

Posted by:

09 May 2019

Is "p1a2s3s4w5o6r7d8" without the quotes better?

Posted by:

09 May 2019

Actually you have not quoted Arsenault as saying passwords are useless. You made that conclusion Bob.

Using a password manager, such as LastPass to create effecive passwords will solve any password issues you may encounter.

Of course the fools that use such simple passwords really just do not care about security.

Posted by:

09 May 2019

My passwords are easy for me to remember phrases. The only problem is some sites don't allow spaces.

Posted by:

09 May 2019

What @Mike said. Use a password manager such as LastPass or KeePass and create complex hard to guess passwords. Passwords are only useless if you create common easily guessable passwords like "monkey", "password", "qwerty" etc

Posted by:

09 May 2019

Guess what the fail-safe method is in case of a failure with Microsoft's non-password biometric software/hardware (and it will)?
You guessed it - ironically, a PIN, or password.
Too funny!
Those not concerned with security will still choose weak passwords, and never periodically change them - unless forced to by an outside source.

Posted by:

The 146%
10 May 2019

I wonder what Lois Lerner's dog used as a password.

Posted by:

10 May 2019

KeePass is free. All your passwords will be unique, and something like (but utterly different from) "o381wAgSF6xovMSarhi2", but you will never have to remember, or even look at, any of them ever again. Logging in to (e.g.) Amazon consists of click 1 (to open KeePass); enter my only password; click 2 (to select Amazon from a list); click 3 (to open the login page); click 4 (to auto-fill user name and password. That's it.

It is effectively 2FA — it only works on a device which has has a copy of my password vault, and then only with my one master password (something fairly secure but easy for me to remember).

Did I mention that it's free?

Posted by:

10 May 2019

I have e-mail access thru a local educational set-up which uses a modification of 2FA. However, it is set up so that someone who does not have a cell phone can use their system. The group calls my regular land-line phone and I key in a code which connects me with the e-mail account.


Posted by:

Sally M.
10 May 2019

I predict that fingerprint verification will eventually result in some lost digits. Don't underestimate these crooks.

Posted by:

20 May 2019

If you only have a cell phone (no landline), and if that cell phone is lost or stolen, does that mean that now you cannot log into any of your websites that requires 2-factor? What is the procedure then?

EDITOR'S NOTE: You'd get a new phone and assign your number to it.

Posted by:

Ricky Moore
22 Sep 2022

I don't have a bank account, I don't do business online, I don't ever take my computer to public networks, I don't download anything that I don't know. 99% of all security and 'safety' features on Windows are completely fucking irritating and useless to me. I refuse to have a Microsoft account, they can shove their free year of office up their asses. I have NO USE for anything but freeware products, and I wish I wouldn't have had windows installed at all.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Are Passwords Useless? (Posted: 9 May 2019)
Copyright © 2005 - Bob Rankin - All Rights Reserved