Microsoft Makes New Accounts Passwordless by Default

Microsoft has taken its most significant step yet toward eliminating passwords by making new Microsoft accounts "passwordless by default." The change means new users will never need to create a password, instead using more secure authentication methods like biometrics, PINs, or security keys.

The move builds on Microsoft's decade-long push toward passwordless authentication that began with Windows Hello in 2015. According to company data, passkey sign-ins are eight times faster than password and multi-factor authentication combinations, with users achieving a 98% success rate compared to just 32% for password users. Microsoft also said it now registers nearly one million passkeys daily across its consumer services.

what dummies lmao

[Anonymous Coward]

A PIN is nothing more than a password.

Re:what dummies lmao

[mysidia]

Huge difference for this case. The PIN is only locally significant and used to unlock a credential stored on your device.
Your PIN is never sent over the network like a login password is.

What makes passwords vulnerable is they are used directly in an authentication protocol.
With locally-sigificant PINs the PIN is not part of the authentication protocol. The authenticator is on your computer,
and the PIN is simply used as an additional factor to unlock the authenticator on your computer.

Re:

[MeNeXT]

So what is being sent? A password? Why do I need to send anything over the network when I'm logging into my system?

Re:

[caseih]

I'm surprised by this question. This is slashdot. We push https and ssh keys, both of which don't send private keys over the wires. Cryptographic challenges are used, with they keys remaining local. To be secure, MS must be doing something very similar. Perhaps even storing your keys in the TPM under Windows.

Re: what dummies lmao

[reanjr]

A session key negotiated similar to (but not) Diffie-Hellman key exchange using TLS and the PKI to ensure secured communication with the authentication provider.

Lookup FIDO protocol for more info.

Re:

[MeNeXT]

That can be accessed by a PIN? Why not just keep the password and send the key? I use FIDO. I don't need a 4 digit PIN.

Re:

[mysidia]

Why not just keep the password and send the key?

This is to ensure normal humans can remember their password without having to write it down. The idea is you should use a simple password to help minimize the chance you forget the password. Brute force is prevented by the nature of the authentication protocol. Also the local device will have a tries counter. For example: If you insert your Yubikey and get the PIN wrong 3 times, then the token will be locked out and no more attempts are possible.

Re:

[markdavis]

>"This is to ensure normal humans can remember their password without having to write it down."

People wouldn't have problems remembering their password if stupid, outdated, "security practices" didn't force them to change the password all the time. Way before NIST (I think it was) *finally* admitted that aging passwords *reduced* security, I was fighting with auditors who insisted that I should implement password aging. So of course they have to be poorer quality, and written down. And of course all

Re: what dummies lmao

[reanjr]

"Why do I need to send anything over the network when I'm logging into my system?"

You don't have to. You can still setup a fully local account, but this will have a password.

Passwordless (secured by multi-factor) would be a bit complicated for users to setup locally, but a motivated individual could do it.

There are benefits to having this sort of service though. Your laptop might be stolen and if your accounts are all associated with MS through this scheme, you can remotely remove access from everything tha

Re:

[MeNeXT]

If the laptop is stolen I don't have the key. Right now I have an encrypted DB that I can copy/move from system to system. I need a password to access my system and another for the DB. If my laptop is stolen the disk is encrypted and requires a password and another for the DB key to access the passkeys. How is a PIN more secure than my passwords?

Why would I entrust a company that is changing it's business model to make me a product with my credentials?

This is just more lock-in for the lazy. If it's importan

Re: what dummies lmao

[reanjr]

"You need to generate the keys and make sure the private key is private"

Yeah, that's how FIDO works. Look it up. That's why you can't export access from one device to another. The keys are literally locked inside a TPM module.

Re:

[MeNeXT]

So let me get this straight. Your point is it's more secure to use a PIN with TPM rather than a password with TPM?

The issue I have with TPM is that if I lose access to the TPM device then I lost access unless I have more than one TPM device.

No matter what if it's important to you you need to take the time to secure it.

Re:

[Bongo]

Everyone now focus on compromising the device instead.

Re:

[RatherBeAnonymous]

Passwords are not sent over the network either, at they are not with sane authentication methods. OAuth, Kerberos, NTLM, CHAP, etc. all use the passwords or password hashes to encrypt authentication tokens that are passed over the network.

Re:

[WaffleMonster]

Passwords are not sent over the network either, at they are not with sane authentication methods. OAuth, Kerberos, NTLM, CHAP, etc. all use the passwords or password hashes to encrypt authentication tokens that are passed over the network.

Kerberos, NTLM and most CHAP schemes generally are considered insecure legacy authentication methods that should be avoided.

They are effectively the same as sending passwords over the network because anyone can use the challenge messages in handshake to launch an offline brute force attack against the password. Most real world passwords are unable to withstand such attacks and thus the effective outcome is indistinguishable from cleartext.

The solution is replacing insecure legacy bullshit with zero knowled

Re:

[WaffleMonster]

Huge difference for this case. The PIN is only locally significant and used to unlock a credential stored on your device.

There is no difference between a PIN and a password.

Your PIN is never sent over the network like a login password is.
What makes passwords vulnerable is they are used directly in an authentication protocol.

What makes passwords vulnerable is the use of insecure authentication protocols. If you use a secure zero knowledge proof to establish mutual proof of possession passwords are also never "sent over the network".

I know for a fact Microsoft knows what a secure authentication algorithm is. They simply refuse to deploy them.

With locally-sigificant PINs the PIN is not part of the authentication protocol.
The authenticator is on your computer, and the PIN is simply used as an additional factor to unlock the authenticator on your computer.

So long as you can just mash the I forgot my pin button a PIN is most certainly not improving security.

Re:

[strikethree]

It is still a password. The underlying mechanism doesn't change the fact that a PIN absolutely *IS* a password.

Re:

[theendlessnow]

Sure other have said similar. No, locally allowing your private key to be involved in answering challenges is not the same thing. As the "unlock" is all local. Microsoft uses separate key pairs for each mechanism used (pin, face, finger, etc.). But, presence (locale) of keys (talking private side)?? Perhaps a problem. So, I think there are still too many "chicken and egg" scenarios. Also, the concept of what is called "passkeys" and Windows Hello are different... so, if about the former, there is som

Re:

[taustin]

And generally, a much less secure one, being, usually, 4 or 6 digits, often numbers only.

Re: what dummies lmao

[linear a]

I suspect they mean"pin and something else", e.g. a device such as a phone.

Re:

[strikethree]

A PIN is nothing more than a password.

LOL, you noticed that too eh? They have no shame... or are just completely ignorant.

Re:

[jacks smirking reven]

I don't think it is but your average user likely doesn't use a random password. If someone has physical access and the knowhow will break either in short order. A random 4 digits is "good enough" versus the alternative of "password1!"

At least that's a guess for me, on setup hey definitely push you towards a biometric if it knows the machine supports it.

It may be worse...

[Roger W Moore]

I don't think it is but your average user likely doesn't use a random password.

True, but your average user probably does not use a random PIN either making it easier to guess and, because banks also use PINs, probably means that an attacker now has access to their bank account as well.

Re:

[jacks smirking reven]

True but we can only do so much if at this point people want to do that, it is 2025 and we all know that's dumb, I think that person is screwed regardless if that's the only measure. Thankfully the biometric stuff has gotten good enough to where it's far more convenient.

Re:

[Shades72]

So now a robber will need to cut off the victim's finger(s) and/or poke out eye(s) instead. By making it safer, did Microsoft make it safer?

Re:

[jacks smirking reven]

Yes they did because if that happens to someone they were getting targeted for something and by someone who really really wants whatever that data is specifically.

Re:

[groobly]

Microsoft will solve that problem by using a 100 digit PIN.

Re:

[markdavis]

>"I don't think it is but your average user likely doesn't use a random password. If someone has physical access and the know how will break either in short order."

* No system should allow repeated failed login access without delays between each attempt.

* No system should allow unlimited login attempts. After X tries, there should be an extra-long delay and other actions. That might be reporting it to someone, locking the login, blocking the source for X minutes/hours or forever, etc.

For most systems/s

Re:

[thegreatemu]

In most cases, writing down passwords is a good thing. If you can't convince people to use a good password manager, writing your passwords down and keeping it next to your computer is the next best thing by far. If I keep my bank password on a piece of paper next to my home computer, there is absolutely no way for anyone to ever steal it remotely, unless I wave it in front of the camera on a zoom meeting. And unless you're a high profile intelligence target, the chances that someone will break into your hou

Re: what dummies lmao

[paul_engr]

"chances that someone will break into your house and recognize your password sheet while they're grabbing all your valuables as fast as they can is effectively zero" Hmmm.... Your password sheet is a valuable, dummy.

Re:

[jacks smirking reven]

Yeah physical access means the system is all but effectively owned no matter what password you have and most remote exploits take advantage of the fact that the user is already logged in, i don't think most exploits for Windows revolve around hacking the login system it's almost all getting the existing user to execute some code under their credentials.

Re:

[GrahamJ]

As long as the number of tries is very limited and the PIN is not easily guessable I don't think it makes much difference how much entropy there is.

Re:

[Voyager529]

As long as the number of tries is very limited and the PIN is not easily guessable I don't think it makes much difference how much entropy there is.

...So then why is "${SIGNIFICANT_YEAR}" secure, but not words? Four-digit numerical PINs are secure now, but lower-case dictionary words aren't?

Passwords became unwieldy because we tried to improve security by mandating complexity, but suddenly 'limiting tries' is all it takes for four-digit numbers to become 'secure' again?

Re:

[thsths]

> Passwords became unwieldy because we tried to improve security by mandating complexity, but suddenly 'limiting tries' is all it takes for four-digit numbers to become 'secure' again?

Basically, yes. Password complexity only matters if we assume that the hash has been compromised. I am not sure why we are ok with that assumption - if the hash is compromised, maybe we should assume that the whole system is compromised?

The PIN is stored on the TPM (hashed or not really does not matter), so we assume it can

Re:

[GrahamJ]

SIGNIFICANT_YEAR would probably fall into the category of easily guessable.

Limiting tries has always been a good security measure. The problem with it for online services is bad actors can spam auth endpoints and lock out everyone's accounts so try limits aren't usable. For local login with fallback to complex password it's fine.

Re:

[karmawarrior]

I think there's more context to this. In general, they're talking about PIN-based access when you're logging directly into a device, a PC you're sitting in front of, or a phone for example, while you have it in your hand. In this scenario you're doing implicit-MFA - you have an object (the device itself), you just need a second method of authentication (the PIN number.) Because it's a form of MFA the security around the PIN number can be lowered, especially given you're also reducing the chances of guessin

Re: what dummies lmao

[paul_engr]

Passwords became dumb because we had mandatory change policies on many platforms that were not rooted in any rational justification in this universe.

Re:

[darkain]

the org i'm in has the same complexity requirements for "pins" as they do "passwords" (yes, all character classes, min length, no repeating, etc)

ya, shit sucks

Re:

[organgtool]

I created a policy that does this at the organization that employs me. A PIN for a Microsoft account effectively provides almost as much access as a password, so the complexity requirements should be similar.

Re: what dummies lmao

[deepthought90]

PINs don't have to be 4 digits. I use a smart card for login at work, and the PINs are required to be at least 8 digits long. The system 2-factor. The PIN is a something I know. The smart card is something I have. The PIN essentially verifies the smart card, and then the certificates on the smart card, which are much higher security, are used for everything else.

Re: what dummies lmao

[mhajicek]

You know how you could make that even more secure? Allow the pin to use letters and special characters in addition to numbers to dramatically increase the problem space!

Re:

[thsths]

And require the PIN to be 24 characters long?

You know what would be even more secure?

Make the PIN 1000 characters long.

Re:

[mindwhip]

You can actually choose on your Windows settings to allow letters and other characters in your Windows PIN...

Re:

[viperidaenz]

Probably because a PIN can only be used locally on the device it is set up on, to unlock a security key that is then used for remote authentication.
You need physical access to a device to try and break the PIN.

Re:

[organgtool]

True, but once you're in on that device, I believe you're usually automatically logged in to the user's Microsoft account. The attacker can change the password and add their own device as an MFA authentication method and now they have full access to your Microsoft account from any device.

Re:

[The-Ixian]

I think that it's a little misleading. PIN and biometrics are *local* authentication methods only.

Once you locally authenticate, passkeys, certificates or other cryptographic tokens are used to authenticate with cloud services.

Re:

[MeNeXT]

You make it sound as if 4 digits are secure. How about a password to unlock the device and repeat the password to access the passkey if the password was not entered in the last minute.

This high security comes from a company that publishes the username in every email.

Re:

[IDemand2HaveSumBooze]

And you could do the exact same thing with a password. Because pin is password but with maybe less complexity requirements. Otherwise, it's still a string of characters entered into a password field.

Re: what dummies lmao

[reanjr]

Because that's not the whole story. PIN is a single factor. When you call, you are providing at least two factors and maybe more. My typical experience is like 3 factors.

And then there's the fact that bank transactions can be reversed when fraud occurs.

The actual incidence of this sort of fraud is pretty minimal when compared to - say - sending a credit card # over the web to a TLS compliant site.

just one step short.

[Gravis Zero]

If you only they could make it so that not only isn't a Microsoft account isn't needed but that they don't hound you to make a Microsoft account.

Windows used to be nice but proprietary and now it's an unending hellscape of nags. I FUCKING HATE WINDOWS.

Re:

[RitchCraft]

Linux just entered the room.

Re:

[jmccue]

BSD ran in also

Re:

[RitchCraft]

What's up bro?

Re: just one step short.

[vbdasc]

Please someone keep Mac OS away. The chatroom is full.

GNU/Linux appears incompatible with passkeys

[tepples]

Desktop Linux also happens to be the only major operating system not listed among the compatible operating systems in Microsoft's help page about passkeys [microsoft.com].

Supported devices

Passkeys are supported on the following:
- Windows 10 and newer.
- macOS Ventura and newer.
- ChromeOS 109 and newer.
- iOS 16 and newer. Passkeys in Microsoft Authenticator require iOS 17 and newer.
- Android 9 and newer. Passkeys in Microsoft Authenticator require Android 14 and newer.
- Hardware security keys that support FIDO2 protocol.

Re: just one step short.

[reanjr]

I assume there are still pro editions of Windows where this stuff is more straightforward. If you have opinions on how your machine should be secured, the home edition is not targeted at you.

Re:

[taustin]

Pro (and I believe Enterprise) have a trick during setup, where you tell it you're going to join a domain (which lets you finish setup with a local account), then never join the domain.

Nagging to sign into a MS account, however, seems to be eternal.

Re:

[Ormy]

Nope, Win10 enterprise never nags me for anything, ever. Although I have an MS account (which I use for playing microsoft's multiplayer video games like Halo) I have never had the OS itself logged in, never even been asked. Also onedrive, cortana, edge, xbox game bar, automatic updates (I apply security updates manually at my convenience), telemetry and all other bloat all permanently disabled.

All we need now...

[Excelcia]

....is Microsoft Accountless.

Re:

[jenningsthecat]

....is Microsoft Accountless.

I've been Microsoft Accountless since... let me see... oh, that's right! I've never had a Microsoft account!

Re: All we need now...

[Big Hairy Gorilla]

Heyyy... pssst.... over here .... we got what you want ... accountless Windows... but it'll cost ya... hehe

Umm. Legit question: there any such thing ? Maybe if you have a site license for a big co or gov you can customize your accounts ?

Re: All we need now...

[reanjr]

Aside from regular old local accounts, you can absolutely setup your own enterprise authentication scheme. For example, some companies use their Google app logins to login to their Windows machines.

Re: All we need now...

[Big Hairy Gorilla]

So this is much worse than I imagined. It's not like an unpatched webserver ... it's outsourcing your entire authentication infrastructure. That's a bad strategy for self preservation. But thanks for answering my question.

Re:

[markdavis]

>"it's outsourcing your entire authentication infrastructure. That's a bad strategy for self preservation."

Yep.

What happens when that outside company has a technical problem? Or has to comply with some new policy or law? Or has to turn over access without your knowledge to law enforcement? Or just doesn't like you for whatever reason?

"You will own nothing and be happy" Hmm...

Re: All we need now...

[reanjr]

Nothing says you have to outsource it. Google is just a widely used example of a custom authentication scheme. You can roll your own if you want.

Re:

[Excelcia]

You can't bring home a computer and have just a regular old local account any more. Not without going to extreme heroics. If you've found a way, please show your work.

And your average home user shouldn't have to set up an enterprise authentication scheme.

Re: All we need now...

[madbrain]

You can still do it. I did it with an LG gram laptop I got from Costco in November. It came with Win11 home. It wasn't hard to find on a search engine. Took about 5 minutes to find, and perhaps 10 more minutes to do it. You have to make sure not to login to Wifi, not to plug in Ethernet, click the right boxes. As I recall, you need to open a command prompt and type some OOBE command, then reboot. And then it is done. I have 1 desktop, 1 laptop, 2 HTPCs all running Win11 with local account. I would have sta

Re: All we need now...

[reanjr]

I've said this elsewhere, but if you have opinions on security, the home edition of Windows is not targeting you. Get the pro edition, where - as far as I know - this is much more straightforward to setup.

"more secure"

[darkain]

"more secure" depends on your definition of security.

first off, the finger print reader on my main windows laptop for work is absolute dogshit, forcing me to revert back to normal passwords anyways.

next, i have no real method of transferring those credentials to another machine.

and no, they are NOT faster. this is only true for things like cell phones that you physically hold. my work laptop? its docked. i need to get up out of my chair to get to the finger print reader. and yes, i know not everyone has thi

Re:

[bloodhawk]

next, i have no real method of transferring those credentials to another machine.

that is a feature. The whole point is the credentials are not transferrable therefore not subject to being stolen or reused elsewhere.

Re:

[quonset]

next, i have no real method of transferring those credentials to another machine.

that is a feature. The whole point is the credentials are not transferrable therefore not subject to being stolen or reused elsewhere.

Lovely. So you have to have separate credentials for every machine you log into. This won't slow down people who need to work on multiple machines in the least.

Re: "more secure"

[reanjr]

You sit down at any machine and use the same key (hardware, biometric, whatever), which gets combined with the device key to allow access to services.

As the old adage goes, security is something you know and/or something you have.

When signing into your machine you know the PIN and have the key fob (or fingerprint).

Once you've signed in though, the services you use can leverage this scheme to tie your access to the device itself. That device key is what you can't transfer. So each new device will likely requ

Re:

[coofercat]

Microsoft MFA is indeed terrible. The problem with it is that your laptop can request MFA any time it likes - so while you're out at lunch you get an alert "approve this login!", but you can't because you're no where near your laptop. Then when you come back to your laptop, the workflow is such crap that it's unnecessarily hard to get a new code and approve it.

A simple check to say "is the screensaver on? If so, don't attempt re-auth until it's off"' would be a good start - but such things are beyond Micros

Yes, but ...

[fahrbot-bot]

The change means new users will never need to create a password, instead using more secure authentication methods like biometrics, PINs, or security keys.

I just setup two Windows 11 systems for a friend and used the little checkbox at PIN creation to allow both letters and numbers, so a PIN can be like a password -- ignoring how they're stored by the back end. Anyway, that was easier for them to remember than just (more) numbers.

Guess what

[GrahamJ]

I don't want to have to deal with 2FA when logging into my device. Lots of things cause you to have to re-auth and when that happens I want to use a password.

I can safely configure a local account that way whereas it's less secure if I'm required to use an internet account. So, don't force the use of MS accounts.

Re: Guess what

[Big Hairy Gorilla]

If this was a swipe pattern like on an android phone I don't think I'd blink an eye ... it must be optional in the settings though, like password on screensaver.

but I'd balk if it required biometrics... Recall is already a non starter... also Microsoft products are 30% generated code according to the boss over there... so that explains why it's garbage use plus anyone using Microsoft is a true serf now... property... irritating AND sad.

Re:

[Tony Isaac]

I can safely configure a local account

Actually not. Local accounts can easily be thwarted by enabling the hidden Administrator account. https://www.makeuseof.com/wind... [makeuseof.com] Even if you disable this account, it can be worked around by using a PE Boot loader.

Before Windows started pushing people to use Microsoft accounts, when friends would ask me to fix their computers, I never needed to ask them for their passwords. I would just log in as Administrator (which has no password) and do what I needed to do.

The one good thing about Microsoft accounts,

Re: Guess what

[vbdasc]

Why disable Administrator if I can assign a password to it?

Re:

[Tony Isaac]

Did you do that, in your "secure" system? I suspect not. If you haven't, your confidence in your ability to make your local account "secure" may be overrated. The account exists, hidden, without a password, on every Windows system, unless you assign a password or delete the account..

Even if you do that, it's still possible to boot using a USB stick with a PE loader, and log in as administrator.

Re:

[Shades72]

Besides adding a password, you can rename the Administrator account too. Not much of a security feature, but makes it a guessing game. As this is not a common practice, it is unlikely that software to illegally enter a Windows computer will not be able to.

Again, not much of a security feature, obfuscation hardly ever is. But it is a time-sink and provides other security systems time to react.

Re:

[organgtool]

I think the negative associations with "Security Through Obscurity" are a bit overblown. Security Through Obscurity can be extremely effective, as long as it's combined with all of the traditional best-practices of security. Things such as non-standard usernames and ports can certainly add a useful layer of security to a system that is already well-secured. The term was meant to shame people who never implemented the traditional forms of security and operated only via obscurity.

Re:

[GrahamJ]

Even if I used Win11 you'd need to be sitting in front of and logged into my PC to enable the administrator account. MS accounts are less secure because they exist on a remote service I don't control.

Re:

[Tony Isaac]

It is a fallacy to assume that physical proximity to your system, gains you additional security. Most hacking these days is done remotely.

With a local account, there are no checks, there is no throttling of brute force attacks. If a hacker can get some malware on your computer (a task that is shockingly easy), they can try a thousand passwords a second until they get it right. With a Microsoft account, they can't do that, the system has throttling mechanisms and blacklists and two-factor authentication and

RDP permanent password

[awwshit]

https://arstechnica.com/securi... [arstechnica.com]

4 digits that are good forever.

32% password success rate?

[linear a]

42% password success rate sounds like bullcrap to me.

Re: 32% password success rate?

[linear a]

Oops, 32% as stated in the post.

Re:

[markdavis]

>"32% password success rate sounds like bullcrap to me."

Probably.

Maybe it is high on systems that require some stupid 15 character passwords with X symbols and stupid aging (which should not be used). But even then, I doubt it is a 68% login failure rate.

On systems with REASONABLE complexity and without aging (so the user can actually remember the password), I would estimate an average login success rate of maybe at least 90%. If it is a situation where 2FA is appropriate, then of course that number wi

Here's a scenario

[viperidaenz]

I have a Microsoft Account, with no password.
My device breaks. How do I sign in to my account from another device while I wait for mine to be fixed?

Re:

[Baron_Yam]

I assume your secondary auth method will be the biometrics they've coerced you into finally giving up.

Biometric

[Errol backfiring]

Whoever thinks that biometrics are secure (and speaks German, sorry), should watch the video Ich sehe, also bin ich .... du [media.ccc.de] (I see, therefore I am .... you).

And how ...

[allo]

And how do we hold Microsoft accountable now?

Re:

[markdavis]

>"And how do we hold Microsoft accountable now?"

By leaving their products. Voting with your feet and your wallet.

Re:

[mysidia]

Yes. Because even a single-character password using only digits 0 - 9 is more secure as an authorization PIN to unlock a cryptographic authenticator than the strongest possible online login password you can possibly imagine.

All passwords sent over the network automatically become insecure

Password-based authentication to a server inherently has zero resistance to phishing. And zero resistance to verifier compromise.
Login passwords also have a high chance of being reused by the user, and then if ANY

Re:

[MeNeXT]

I don't need to send a password over the network just like your comment that you don't send the PIN. Why are you assuming all passwords need to go over the network? So authenticate with a password on your local system and don't send the password over the network just like the PIN.

Re:

[mysidia]

Why are you assuming all passwords need to go over the network?

As a general rule passwords ARE or can be sent over the network. And in the specific case of Microsoft Account passwords and even classical Windows local user login passwords - they ARE sent over the network and can be presented or used on login to your computer or other computers on your local network remotely.

Password-based authentication refers specifically to that method of authentication where a Remote server prompts you for a password,

Re: wtf is happening

[Big Hairy Gorilla]

You're both right. What he's saying is that even a 4 character word has more combinations than a 4 digit pin and what you're saying is public key authentication is orders of magnitude stronger than passwords.

Re: wtf is happening

[vbdasc]

Why are you conflating browsing the Internetz (with its fishing, etc) and logging to Windows? These are two conceptually different things. And yes, what MS and you present is a solution to a non-existing problem. I can use a hardware-backed password vault when browsing the Net, and a local account for logging to Windows, and my security will be no weaker than what you describe, with the added benefit that I don't give MS, whom I don't trust a bit, a kill switch for my own computer.

Re:wtf is happening

[sysrammer]

did you really just say that a base 10 4 digit number is more secure than words

slashdot has fallen

How did you guess my passphrase?

Re: wtf is happening

[reanjr]

When a 4-digit PIN is used to unlock a 4096 bit RSA key stored using hardware encrypted devices, it's much more secure than a password hashed using SHA-256 and sent over the wire.

Re: wtf is happening

[vbdasc]

Yet, it's not more secure than a password NOT sent over the wire, or even than a password that is only sent to a friendly network, inside your secure perimeter