Question Windows 10 password change with MS account sync accross devices?

JimKiler · Jan 3, 2020

If I have Windows 10 with a Microsoft account and I change my login PIN on machine 1, will my password change on machines 2? I did change it and so far it did not change my password on machine 2. I went into my account and had to verify my identity with a verification code but i have logged out and in a few times and it is still my old password. I am definitely not using local accounts. Do i have to change each machine manually?

Chiefcrowe · Jan 6, 2020

Yes, you have to change each machine manually. This is because the PIN is encrypted and stored on each device. I ran into this myself when a motherboard had to be replaced and the PIN had to be reset.

PIN login is more secure than using a password. The password is tied to your MS online account and for example if you change that and are not online, the laptop won't recognize the new password.

More reading about PIN vs. Password:

Windows Hello for Business overview - Windows Security

Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.

docs.microsoft.com

JimKiler · Jan 8, 2020

Chiefcrowe said:
Yes, you have to change each machine manually. This is because the PIN is encrypted and stored on each device. I ran into this myself when a motherboard had to be replaced and the PIN had to be reset.

PIN login is more secure than using a password. The password is tied to your MS online account and for example if you change that and are not online, the laptop won't recognize the new password.

More reading about PIN vs. Password:

Windows Hello for Business overview - Windows Security

Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.

docs.microsoft.com

So a PIN more secure but not as convenient as I have to update my PIN on my three PC's and two satellite PC's i administrate at my in-law's houses. The only reason i have a PIN is because Windows 10 updates forced it upon me. Although I am sure i can change it back to a password now.

Chiefcrowe · Feb 7, 2020

I was thinking about this more and what do you guys think of this situation?

If someone manages to get your MS account password, then would they still be able to log in to your computer even if the PIN was available?

mikeymikec · Feb 14, 2020

Chiefcrowe said:
Yes, you have to change each machine manually. This is because the PIN is encrypted and stored on each device. I ran into this myself when a motherboard had to be replaced and the PIN had to be reset.

PIN login is more secure than using a password. The password is tied to your MS online account and for example if you change that and are not online, the laptop won't recognize the new password.

More reading about PIN vs. Password:

Windows Hello for Business overview - Windows Security

Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.

docs.microsoft.com

Considering the amount of times that I've encountered customers who have used their PIN so many times that they've forgotten their password, I don't think MS thought this one through particularly well.

Btw OP, you don't have to use a PIN to sign in. MS don't make it easy to avoid, but it is avoidable.

JimKiler · Feb 14, 2020

mikeymikec said:
Considering the amount of times that I've encountered customers who have used their PIN so many times that they've forgotten their password, I don't think MS thought this one through particularly well.

Btw OP, you don't have to use a PIN to sign in. MS don't make it easy to avoid, but it is avoidable.

I avoided the PIN until some release forced upon me and when i realized it could use characters i changed and never knew it was locked to the machine. Not that big a deal until i go to my extended family's homes and forget which PIN i used.

Chiefcrowe · Feb 14, 2020

I'm still confused by the fact that they claim PIN is better but if your password gets compromised, someone could still log in to your computer even if you always use the PIN - am I understanding this correctly?

mikeymikec · Feb 15, 2020

Chiefcrowe said:
I'm still confused by the fact that they claim PIN is better but if your password gets compromised, someone could still log in to your computer even if you always use the PIN - am I understanding this correctly?

You're absolutely right.

The fact of the matter is that a Microsoft account makes your computer and your stuff more vulnerable than a local account does.

In order to make a Microsoft account as secure as it can be, a strong and complex password is needed, but your average two-finger-keyboard jockey doesn't want to have to type in a 26-char password every time just to log into their computer, so the PIN shortcut was dreamed up. It's a convenience feature, not a security feature.

quikah · Feb 16, 2020

mikeymikec said:
You're absolutely right.

The fact of the matter is that a Microsoft account makes your computer and your stuff more vulnerable than a local account does.

In order to make a Microsoft account as secure as it can be, a strong and complex password is needed, but your average two-finger-keyboard jockey doesn't want to have to type in a 26-char password every time just to log into their computer, so the PIN shortcut was dreamed up. It's a convenience feature, not a security feature.

Windows Hello is not a convenience feature. It is a fairly complex security feature that was designed to satisfy NIST requirements for multi-level authentication for an account. It is more geared for enterprise where you have much more configuration options and can really lock things down (require pin + security key or biometrics to login). The focus is securing the account, this is the important bit.

The main idea is that the pin is securing the device only. If someone manages to steal your device you can immediately de-authorize that device (invalidate the token) so that it can no longer login to your account. If someone already compromised your account it is game over regardless if they have your device or not which is why you should be using a minimum of complex password + 2FA for all accounts.

Whether you consider this better or worse than a local account depends on how you are using the device.

Chiefcrowe · Feb 19, 2020

Thank you for your posts. Some great points raised!

I use MFA for my accounts but a lot of people don't. So that would mitigate most ways that someone could get your pw and log in to your system.

Chiefcrowe · Feb 19, 2020

How do you de-authorize a device? I don't recall seeing that option....

quikah said:
Windows Hello is not a convenience feature. It is a fairly complex security feature that was designed to satisfy NIST requirements for multi-level authentication for an account. It is more geared for enterprise where you have much more configuration options and can really lock things down (require pin + security key or biometrics to login). The focus is securing the account, this is the important bit.

The main idea is that the pin is securing the device only. If someone manages to steal your device you can immediately de-authorize that device (invalidate the token) so that it can no longer login to your account. If someone already compromised your account it is game over regardless if they have your device or not which is why you should be using a minimum of complex password + 2FA for all accounts.

Whether you consider this better or worse than a local account depends on how you are using the device.

quikah · Feb 19, 2020

Chiefcrowe said:
How do you de-authorize a device? I don't recall seeing that option....

I believe you just remove the device from your account.

https://support.microsoft.com/en-us/help/4026440/microsoft-account-manage-your-devices

You also have the usual mobile device options of "Find my device" and locking remotely. I know enterprise can also remotely wipe devices, but I am not sure if home users are able to do this.

I cannot guarantee this works as expected as I have never tested it. AFAIK you would still be able to login to the device via pin or old password if it is offline. Would be interesting thing to go through all the various steps to see how it works when offline vs. online.

Chiefcrowe · Feb 20, 2020

Thanks.. yeah I wish I had a test computer I could test that on.

In looking up, it seems like you have to be set up with Intune to be able to remote wipe computers....

JimKiler · Feb 27, 2020

Chiefcrowe said:
Thank you for your posts. Some great points raised!

I use MFA for my accounts but a lot of people don't. So that would mitigate most ways that someone could get your pw and log in to your system.

I was not a MFA until last month when someone in the Ukraine and Czech republic tried to access my google account. Then they tried my Instagram account...maybe they think i am social media influencer! MFA is not as bad as I thought. For Google it only asks the first time and then remembers your device.

mikeymikec · Feb 28, 2020

quikah said:
It is more geared for enterprise where you have much more configuration options and can really lock things down (require pin + security key or biometrics to login). The focus is securing the account, this is the important bit.

However, having two passwords rather than one is not an improvement, and the PIN gets used for convenience by non-enterprise users, and MS pushes it in that way.

Search

Question Windows 10 password change with MS account sync accross devices?

JimKiler

Diamond Member

Chiefcrowe

Diamond Member

Windows Hello for Business overview - Windows Security

JimKiler

Diamond Member

Windows Hello for Business overview - Windows Security

Chiefcrowe

Diamond Member

mikeymikec

Lifer

Windows Hello for Business overview - Windows Security

JimKiler

Diamond Member

Chiefcrowe

Diamond Member

mikeymikec

Lifer

quikah

Diamond Member

Chiefcrowe

Diamond Member

Chiefcrowe

Diamond Member

quikah

Diamond Member

Chiefcrowe

Diamond Member

JimKiler

Diamond Member

mikeymikec

Lifer

TRENDING THREADS