Microsoft’s new approach is to rely (mostly) upon an Authenticator app on your phone.
Whether this is important depends on what type of passwords you use now. The Authenticator app model is useful to those who have secure access to their phone and currently use simple (not complex) passwords – and have access to cell phone service when needing to use your Windows 10 computer.
…it’s still a win-win for most people, most of the time. That’s because most people don’t have unique, long, complex, random passwords for every account and use a password manager to, well, manage them. That said, if you do, then there’s no real rush to dump your password access route to be honest.
The problem, though, is ensuring those users who would benefit both know the option is available and encouraging them to take it.
You do not want to rely on the Authenticator app to log in to your Windows 10 notebook computer when traveling in areas without cell or Internet access.
You can set up an alternative PIN or facial recognition (if your device has a camera) or finger print recognition (if your device has a fingerprint reader) as alternatives. A PIN can contain numbers – or be the same as an alphanumeric password. The only difference between a PIN and a password is the PIN is unique to your device, not your Microsoft account.
For example, I use a notebook computer to read Kindle books when in campgrounds having no cell phone service. The new Microsoft Windows 10 “passwordless” model would require I set up a PIN as an alternate, putting me right back in to the password model. I use complex passwords anyway so the Authenticator app mostly adds complexity to basic Windows desktop login without adding much additional security.
An easy way to create and remember a complex password is to remember a sentence or phrase from a movie – or some other phrase that is important to you.
To illustrate, consider the famous line “May the Force be with you” from Star Wars (I do not recommend you use this). Make your password be the first letters of each word:
Now, make some obvious substitution like changing “Force” to the number 4.
Perhaps add some non-numeric characters such as
Again, do not use an obvious phrase like this one but pick a sentence that is meaningful to you. Then change some values such as converting the word “to” to 2, or the letter I to 1, and so on.
A phrase or sentence that is meaningful to you will make it easy to remember a complex password that otherwise looks like a sequence or random letters.
Also consider choosing a longer phrase than the example above. For example, “My mama always said life was like a box of chocolates.”
Then look for simple substitutions to add numbers and symbols.
As long as you do not re-use your password on multiple accounts and services, you do not actually need to periodically change your password. If you use the same or similar passwords elsewhere, then you should periodically change passwords in case those accounts are compromised in a security breach.
For critical accounts – including those with access to your email, or access to financial accounts (banks, brokerages), or to retailers where you have saved a credit card, you should set up 2-factor Authentication that relies (ideally) on an authentication app or SMS confirmation (less secure). Additionally, if your telephone service provider enables you to set up a separate PIN for account modifications, do that. Some hackers figured out ways to change your cellular service provider account to redirect SMS messages – but the additional account PIN can stop that too.