New Post: Microsoft Ruined Passwords, Now Aims for a Passwordless Future


You’re way off topic. The information linked advocates for undermining the rule of law in the US, with the purpose of destroying our system of government. Based on fantasy and “alternative facts”. You are basically posting to advocate for anarchy in the United States.

Talk about inappropriate and offensive.

The furthest from anarchy that one can get. We are peaceful non combative and are not trying to overthrow anything. Merely come up along side and hold our employees accountable. At least you acknowledged that “Alternative Facts” are at play…we have been lied to long enough, dontcha think? I suggest you look at the rule of law more closely. Rule of Admiralty Law? Americans are only subject to the Pubic Law. There are more forms of law than one can possibly imagine…which should apply to which Country? And under what circumstances. I am merely trying to get people to think for themselves.




well tbh it is part of the topic, just not everyons perspective of it. The problem is simple. the people are animals, profit generators. and companies elect our gov officials, who make laws to benefit those companies. When companies violate the truth and trust with the people, and they circumvent freedoms, and rights, privacy and security, . . . . and that is what Lisaon is pointing out. Microsoft, is one of the worst companies out there that is in bed with out gov agendist platform. When $ and power overrules common sense that protects our liberty, ALL THAT IS LEFT IS ANARCHY. Harmony is about balance, a balance of power with security and privacy.

The technical stuff is what you want to talk about, but tbh, how we got here is just as important to debate and undertsand as is the method of application.

You cannot trust companies with your data. period. Only reason I have a pc with a windows install is because I love to play with music and unfortunately, linux and my DAW do not work.

I cannot imagine what BS will come with windows 11, already heard bad things about it. I recall Linus’s video explaining why he never pays Microsoft for windows licencing and his reasoning. I have to stand firm, sometimes acting illegally, is the only right option. Sometimes you have to be willing to violate a “law” to reamin free. and just because something is a law, doenst mean its right. People give the corporations and government too much credit, and power.

WE are the people. Remember. Always,

“No man is safe when freedom fails. The best men rot in filthy jails while those who cried appease appease are hanged by those they tried to please.”

It would be nice if this thread could stick to the topic of password policy, authentication approaches, and the vendor-control side-effects of Microsoft’s proposed passwordless authentication and the issues around trusted hardware-as-authentication-token.

For folks who would like to diverge from this topic to tie in politics, we have a Round Table category so feel free to start up a new thread in there.


And then there’s people like my mother, to whom I had to explain to that using your birthday as your password for your online accounts is a bad idea. Right now she’s using a somewhat reasonably secure password. The same one everywhere, and it’s printed on a sticker on her laptop lest she forgets. There’s no way I could ever explain to her how to set up a password manager and use secure per-site passwords for all her online activities. That stuff is so far out of her daily life experience that the cognitive load is just too big. And that’s just my mom; don’t get me started on the few pensioners I’ve had to help out with their computer these past couple of years…

Unfortunately, there’s more than just us tech-savvy folks online.

If you offer an online service, spy movie threats are exactly the sort of threats you need to protect against. The account @jrial77 on Twitter may not attract much attention and will only ever face low-level attacks. But that’s not the case for @TomCruise, and certainly not for @POTUS.

1 Like

well tbh this is not true. though if she and you literally believe this with conviction, you will never see another outcome. Youtube is really handy, if she see’s someone do it, she can do it too.

The brain is not limited the way you were taught. Neuroplasticity defines the limitless capacity of your brain. but if you believe, that something is not possible, it will never be. So try to help her rewrite her thinking, and dissolve the beliefs of old. She can learn any skill, no matter how old she is, as long as she is open to the experience and is willing to learn, practice, and fail till success. Then she will achieve her goal.

If I need a condescending sermon…

…from a new-age hippy, rest assured you’ll be among the first on my mind when it comes to soliciting feedback.

In the meantime though, here’s a breakdown of the relevant facts:

  • Not everyone is versed in English. That means that most of the advice out there is lost on them. This includes most YouTube videos, but also written material.
  • Not everyone has the aptitude for technology.
  • Not everyone has the time to dedicate to getting better at technology. Which given how far behind the curve some people are, can represent a significant investment in time and effort indeed.
  • Nor does everyone have an active interest, for that matter.

She fits all 4 of these. So no, I’m not even gonna try. Explaining this sort of stuff to my mother is like trying to teach a pig to sing: it wastes your time, and annoys the pig.


wow, alright dude. have fun then

I understand. I am in the minority in my position and I accept that most will disagree with me. Including you.

I still reject the belief that passwords are hard. I overcame the addiction of having weak passwords like I overcame a smoking addiction. But my view doesn’t matter except as a possibility that the overwhelming narrative may be wrong. But it will only be wrong on an individual level. I will likely never be right in the aggregate.

I accept that. And I accept your argument. :slight_smile:

1 Like

What I take away from this conversation is a confirmation that one size doesn’t fit all when it comes to authentication, or security measures in general. Different approaches work for different people, each of who have different capabilities, assets, and threats. Threat modeling is important.

The authentication scheme I would use for someone with memory problems who just needs to look at pictures and answer calls on their phone, is different from the scheme I’d use for a journalist stationed in an authoritarian regime writing critical news pieces. And both of those are different from what I’d use for a typical computer user.

1 Like

That’s right but sometimes it is possible to automate things under the hood and relieve users from burden and raising security standards at the same time for the average user.

An example is how Signal made encrypted messaging a no-brainer. The average user’s privacy is much more safer without significant user actions being necessary.

While in the authentication area passwords are still standard but I guess many people still reuse weak passwords across internet services.

In your opinion what would qualify as a strong password? I am just an average computer(Linux Mint) user. Maybe a little paranoid

A long and radom one. Ideally with arbitrary symbols. Some services limit the length and the allowed set of symbols.

How often should you change it?

The recommendation I set out in my talk is that the ideal password is a long random one, and you should use a different one for each account. Since that’s almost impossible to remember, store those accounts/passwords in a password manager.

That leaves you with a couple of passwords that must be memorable (to get into your computer, to unlock your password manager). For those cases I advocate a long passphrase, no fancy upper/lower case or symbols. For average threats a song lyric or movie quote you are familiar with works, something you will always remember. For folks with stronger threats, something like a diceware passphrase works well. The key is to pick something relatively long (at least 12 characters, ideally longer than that) so it’s hard to brute force, but memorable above all else. Then once you have that, you shouldn’t ever need to change it, unless you have reason to think the passphrase has been disclosed or otherwise compromised. As a general rule routine password rotation is a bad practice (even NIST thinks so now!) and password rotation encourages people to pick weaker passwords than they would otherwise.


Speaking of password managers, I recently transitioned to KeepassXC. Very easy to use, and a lot of nice features. Doesn’t sync with any “clouds,” but you can store your encrypted data file there or anywhere else you want.

It also makes complex password or passphrase generation trivial.

Plus, there’s plenty of space to record security question answers, PINs, or other info you might need to associate with a login.

1 Like

That is also what I use, however on my Librem 5 I am using Gnome Password Safe as it’s adaptive but also was able to import and use my exising KeepassX database. The big feature I like about password managers other than secure storage (otherwise a GPG-encrypted text file would fit the bill), is the password generation tool. You can tweak its settings on the fly to match whatever silly complexity rules a particular site has and it does the work for you.


I was using a (weakly) encrypted text file for the longest time. Then I noticed that some logins had seemed to disappear from it! I also needed it to remember the passwords for my external backup drives…which was one of the bits that had disappeared. I was just about ready to reformat the external drives and lose some important old files, when I accidentally found several different versions of the password file in my .cache directory. Whew! Turns out I had been updating different versions for some time!

1 Like

Yeah. I have different versions of my password database. The synchronization is still something I need a better solution. As long as I mounted the file remotely from my server things were fine, but when out and about I had a local copy on my smartphone. And then starting to create new accounts so databases start to differ. I consider storing the leading files on my server and synchronize over VPN and maybe make changes only to the server file or something like that.

1 Like