Microsoft Confirms Password Deletion for 1B Users

Original Article ↗ Hacker News Discussion ↗

Scope and framing of Microsoft’s move

  • Many see the Forbes headline as overstated; Microsoft talks about millions of password deletions and a roadmap, not confirmed removal for 1B users yet.
  • Some view this as security progress; others see it as Microsoft papering over its own security failures and pushing lock‑in.

Recovery, lockout risk, and backups

  • Biggest anxiety: “lost phone / stolen device / house fire / travel with no device” ⇒ permanent account loss.
  • Current reality: recovery typically falls back to email, SMS, backup codes, or support flows, which reintroduce password‑like or KBA risks.
  • People complain there’s no simple, user‑controlled backup/export; draft “credential exchange” specs exist but are immature and often cloud‑mediated.
  • Power users want printable, offline, cross‑vendor backups; others argue unexportability is a security feature.

Device, vendor lock‑in, and cloud trust

  • Strong concern that mainstream passkey implementations are tied to Apple/Google/Microsoft clouds and specific OS ecosystems.
  • Cross‑platform support via password managers (Bitwarden, 1Password, KeePassXC, Proton Pass, etc.) is praised but seen as poorly communicated and sometimes discouraged by attestation policies.
  • Some explicitly reject any scheme where a cloud vendor can ban or misidentify them and thereby cut off all access.

Security improvements vs passwords

  • Pro‑passkey arguments:
    • Public‑key challenge–response; private key never leaves device.
    • Domain binding prevents credential reuse on phishing sites.
    • Eliminates password stuffing and most server‑side password leak impact.
    • Forces uniqueness and sufficient entropy, especially for non–password‑manager users.
  • Skeptics note that password managers with strong, unique passwords and autofill already mitigate many of these issues for power users.

Usability, UX, and non‑technical users

  • Some report excellent UX (two taps with Face/Touch ID; “feels magic”), and higher success than passwords.
  • Others recount broken or confusing flows, especially: multi‑device setups, Windows Hello quirks, browser differences, and QR‑code “hybrid” sign‑ins.
  • Serious worry about elderly or low‑income users: single phone, no backups, weak mental model; current messaging and tooling are seen as too complex.

Hardware tokens and alternatives

  • YubiKeys and similar “roaming authenticators” are liked for security but criticized as expensive, easy to lose, and awkward to manage across many services.
  • Some prefer passkeys stored in password managers over platform clouds; others stick with TOTP or even PAKE‑based password systems.

Ethics, coercion, and policy

  • Many resent “dark pattern” prompts that won’t accept a permanent “no.”
  • FIDO attestation and potential whitelisting are viewed by some as a future tool for excluding “undesirable” devices/providers and tightening platform control.