• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

Question Windows 10 password change with MS account sync accross devices?

JimKiler

Diamond Member
Oct 10, 2002
3,415
98
91
If I have Windows 10 with a Microsoft account and I change my login PIN on machine 1, will my password change on machines 2? I did change it and so far it did not change my password on machine 2. I went into my account and had to verify my identity with a verification code but i have logged out and in a few times and it is still my old password. I am definitely not using local accounts. Do i have to change each machine manually?
 

Chiefcrowe

Diamond Member
Sep 15, 2008
4,837
86
101
Yes, you have to change each machine manually. This is because the PIN is encrypted and stored on each device. I ran into this myself when a motherboard had to be replaced and the PIN had to be reset.

PIN login is more secure than using a password. The password is tied to your MS online account and for example if you change that and are not online, the laptop won't recognize the new password.

More reading about PIN vs. Password:

 
Last edited:
  • Like
Reactions: JimKiler

JimKiler

Diamond Member
Oct 10, 2002
3,415
98
91
Yes, you have to change each machine manually. This is because the PIN is encrypted and stored on each device. I ran into this myself when a motherboard had to be replaced and the PIN had to be reset.

PIN login is more secure than using a password. The password is tied to your MS online account and for example if you change that and are not online, the laptop won't recognize the new password.

More reading about PIN vs. Password:

So a PIN more secure but not as convenient as I have to update my PIN on my three PC's and two satellite PC's i administrate at my in-law's houses. The only reason i have a PIN is because Windows 10 updates forced it upon me. Although I am sure i can change it back to a password now.
 

Chiefcrowe

Diamond Member
Sep 15, 2008
4,837
86
101
I was thinking about this more and what do you guys think of this situation?

If someone manages to get your MS account password, then would they still be able to log in to your computer even if the PIN was available?
 

mikeymikec

Lifer
May 19, 2011
13,923
3,848
136
Yes, you have to change each machine manually. This is because the PIN is encrypted and stored on each device. I ran into this myself when a motherboard had to be replaced and the PIN had to be reset.

PIN login is more secure than using a password. The password is tied to your MS online account and for example if you change that and are not online, the laptop won't recognize the new password.

More reading about PIN vs. Password:

Considering the amount of times that I've encountered customers who have used their PIN so many times that they've forgotten their password, I don't think MS thought this one through particularly well.

Btw OP, you don't have to use a PIN to sign in. MS don't make it easy to avoid, but it is avoidable.
 

JimKiler

Diamond Member
Oct 10, 2002
3,415
98
91
Considering the amount of times that I've encountered customers who have used their PIN so many times that they've forgotten their password, I don't think MS thought this one through particularly well.

Btw OP, you don't have to use a PIN to sign in. MS don't make it easy to avoid, but it is avoidable.
I avoided the PIN until some release forced upon me and when i realized it could use characters i changed and never knew it was locked to the machine. Not that big a deal until i go to my extended family's homes and forget which PIN i used.
 

Chiefcrowe

Diamond Member
Sep 15, 2008
4,837
86
101
I'm still confused by the fact that they claim PIN is better but if your password gets compromised, someone could still log in to your computer even if you always use the PIN - am I understanding this correctly?
 

mikeymikec

Lifer
May 19, 2011
13,923
3,848
136
I'm still confused by the fact that they claim PIN is better but if your password gets compromised, someone could still log in to your computer even if you always use the PIN - am I understanding this correctly?
You're absolutely right.

The fact of the matter is that a Microsoft account makes your computer and your stuff more vulnerable than a local account does.

In order to make a Microsoft account as secure as it can be, a strong and complex password is needed, but your average two-finger-keyboard jockey doesn't want to have to type in a 26-char password every time just to log into their computer, so the PIN shortcut was dreamed up. It's a convenience feature, not a security feature.
 
  • Like
Reactions: Arkaign

quikah

Diamond Member
Apr 7, 2003
3,212
209
106
You're absolutely right.

The fact of the matter is that a Microsoft account makes your computer and your stuff more vulnerable than a local account does.

In order to make a Microsoft account as secure as it can be, a strong and complex password is needed, but your average two-finger-keyboard jockey doesn't want to have to type in a 26-char password every time just to log into their computer, so the PIN shortcut was dreamed up. It's a convenience feature, not a security feature.
Windows Hello is not a convenience feature. It is a fairly complex security feature that was designed to satisfy NIST requirements for multi-level authentication for an account. It is more geared for enterprise where you have much more configuration options and can really lock things down (require pin + security key or biometrics to login). The focus is securing the account, this is the important bit.

The main idea is that the pin is securing the device only. If someone manages to steal your device you can immediately de-authorize that device (invalidate the token) so that it can no longer login to your account. If someone already compromised your account it is game over regardless if they have your device or not which is why you should be using a minimum of complex password + 2FA for all accounts.

Whether you consider this better or worse than a local account depends on how you are using the device.
 

Chiefcrowe

Diamond Member
Sep 15, 2008
4,837
86
101
Thank you for your posts. Some great points raised!

I use MFA for my accounts but a lot of people don't. So that would mitigate most ways that someone could get your pw and log in to your system.
 

Chiefcrowe

Diamond Member
Sep 15, 2008
4,837
86
101
How do you de-authorize a device? I don't recall seeing that option....

Windows Hello is not a convenience feature. It is a fairly complex security feature that was designed to satisfy NIST requirements for multi-level authentication for an account. It is more geared for enterprise where you have much more configuration options and can really lock things down (require pin + security key or biometrics to login). The focus is securing the account, this is the important bit.

The main idea is that the pin is securing the device only. If someone manages to steal your device you can immediately de-authorize that device (invalidate the token) so that it can no longer login to your account. If someone already compromised your account it is game over regardless if they have your device or not which is why you should be using a minimum of complex password + 2FA for all accounts.

Whether you consider this better or worse than a local account depends on how you are using the device.
 

quikah

Diamond Member
Apr 7, 2003
3,212
209
106
How do you de-authorize a device? I don't recall seeing that option....
I believe you just remove the device from your account.

You also have the usual mobile device options of "Find my device" and locking remotely. I know enterprise can also remotely wipe devices, but I am not sure if home users are able to do this.

I cannot guarantee this works as expected as I have never tested it. AFAIK you would still be able to login to the device via pin or old password if it is offline. Would be interesting thing to go through all the various steps to see how it works when offline vs. online.
 

Chiefcrowe

Diamond Member
Sep 15, 2008
4,837
86
101
Thanks.. yeah I wish I had a test computer I could test that on.

In looking up, it seems like you have to be set up with Intune to be able to remote wipe computers....
 

JimKiler

Diamond Member
Oct 10, 2002
3,415
98
91
Thank you for your posts. Some great points raised!

I use MFA for my accounts but a lot of people don't. So that would mitigate most ways that someone could get your pw and log in to your system.
I was not a MFA until last month when someone in the Ukraine and Czech republic tried to access my google account. Then they tried my Instagram account...maybe they think i am social media influencer! MFA is not as bad as I thought. For Google it only asks the first time and then remembers your device.
 

mikeymikec

Lifer
May 19, 2011
13,923
3,848
136
It is more geared for enterprise where you have much more configuration options and can really lock things down (require pin + security key or biometrics to login). The focus is securing the account, this is the important bit.
However, having two passwords rather than one is not an improvement, and the PIN gets used for convenience by non-enterprise users, and MS pushes it in that way.
 

ASK THE COMMUNITY