Microsoft's CISO: Why we're trying to banish passwords forever

Nobody likes passwords, says Microsoft's chief information security officer. Here's how the software giant is getting rid of them for good.
Written by Liam Tung, Contributing Writer

Bret Arsenault, Microsoft's chief information security officer (CISO), who's been at Microsoft for 31 years, says he's only ever been publicly cheered once at the company: that was when he killed off Microsoft's internal policy of changing passwords every 71 days. 

"That's the first time I've been applauded as a security person and executive," Arsenault tells ZDNet. "We said we're turning off password rotation within Microsoft, because we had eliminated that part of it." 

As Microsoft's CISO, Arsenault is responsible for protecting both Microsoft products and its internal networks used by its 160,000 employees. After adding vendors into the mix, he's responsible for about 240,000 accounts globally. And getting rid of passwords and replacing them with better options like multi-factor authentication (MFA) is high on his to-do list.

Microsoft updated its password policy in stages. In January 2019, it moved to one-year expiry, using telemetry to validate effectiveness. In January, 2020 it moved to unlimited expiry based on the results.  

Microsoft also stopped recommending to customers to implement a 60-day password expiration policy in 2019 because people tend to make small alterations to existing passwords or forget new good ones. 

For Arsenault, rather than make the conversation about putting MFA everywhere, he framed the change as being about eliminating passwords.

"Because nobody likes passwords. You hate them, users hate them, IT departments hate them. The only people who like passwords are criminals – they love them," he says. 

"I remember we had a motto to get MFA everywhere, in hindsight that was the right security goal but the wrong approach. Make this about the user outcome, so transition to "we want to eliminate passwords". But the words you use matter. It turned out that simple language shift changed the culture and the view of what we were trying to accomplish. More importantly, it changed our design and what we built, like Windows Hello for business," he says. 

"If I eliminate passwords and use any form of biometrics, it's much faster and the experience is so much better."

On Windows 10 PCs, that biometric security experience is handled by Windows Hello. On iOS and Android, access to Office apps is done through Microsoft Authenticator, which provides a smooth experience when logging into Microsoft Office apps. It taps into biometrics available on iPhones and Android phones.   

"Today, 99.9% of our users don't enter passwords in their environment. That said – progress over perfection – there are still legacy apps that will still prompt [for a password]," he says.

However, that's not the end of the battle. Just 18% of Microsoft's customers have enabled MFA

This figure seems absurdly low given that enabling MFA is free for Microsoft customers, yet as ransomware shows, there can be mult-imillion dollar consequences when just one key internal account is compromised. 

Protecting accounts with MFA won't stop attackers completely, but it does make their lives harder by shielding an organization from the inherent weaknesses in usernames and passwords to protect accounts, which can be phished or compromised through password-spraying attacks

The latter technique, which relies on password re-use, was one way the SolarWinds attackers breached targets besides breaking into the firm's software build systems to spread a tainted software update.    

Microsoft is moving towards a hybrid mode of work and, to support that shift, it's making a push towards a Zero Trust network design, which assumes the network has been breached, that the network extends beyond the corporate firewall, and caters to BYOD devices that could be used at home for work or at work for personal communications. 

But how do we get more organizations to enable MFA in critical enterprise products from Microsoft, Google, Oracle, SAP and other crucial software vendors? 

For organizations looking to enable MFA, Arsenault recommends targeting high-risk accounts first and to work on progress rather than perfection. The biggest problem is legacy applications, but seeking perfection risks getting bogged down. 

"Everyone has brownfield apps that can't support modern authentication, such as biometrics, and so I think what a lot of people should and need to do is take a risk-based approach: first get MFA enforced for high-risk/value groups like admins, HR, legal group and so on, and then move to all users. It can be a multi-year journey, depending how quickly you want to do something," he says.

Then there's the difficult question about SolarWinds and how Microsoft, which has a $10 billion cybersecurity business, got caught out by Russian government hackers. Microsoft in February claimed it was only minimally harmed by the incident, but it was nonetheless breached. Microsoft president Brad Smith called the hack a "moment of reckoning" because customers, including Microsoft itself, can no longer trust the software they get from trusted vendors. 

"Certainly, we used SolarWinds Software in our environment and we identified and remediated the impacted versions and we've been public about that there was access. We continue to modify how we do supply chain programs and how we evaluate what's in supply chain and how quickly we can go do those things," says Arsenault. 

SEE: Cloud computing: Microsoft sets out new data storage options for European customers

 According to Arsenault, Microsoft had seen the supply chain threat coming for a long time. 

"You see a lot of people doing stuff to protect their front doors, but then their backdoors are wide open," he says.  

"The part we've seen coming along is that the supply chain is the weak point, right. You have limited visibility into your suppliers. I think [US president Joe Biden's] executive order will help in this space. But getting to the view of how we think about suppliers, we need a way to get that visibility in a scalable way.

"I want to take the Zero Trust concept for information workers and apply that to the software supply chain, which is no line of code that was ever written wasn't from an attested identity, from a healthy device," he says.  

Editorial standards