I want to highlight a specific Microsoft story. Their CISO, Bret Arsenault, has outlined in an interview their change in approach to passwords.
His key moment of success – being cheered once at the company, when he killed off the policy of changing passwords every 71 days. It was the only time he’s ever been publicly cheered.
“I remember we had a motto to get MFA everywhere, in hindsight that was the right security goal but the wrong approach. Make this about the user outcome, so transition to “we want to eliminate passwords”. But the words you use matter. It turned out that simple language shift changed the culture and the view of what we were trying to accomplish. “ he said.
“Today, 99.9% of our users don’t enter passwords in their environment”, he added.
Of note, only 18% of Microsoft’s customers have enabled MFA.
Why do we care?
I talk about the use of language all the time. The key quote here – by changing the way they talked about the policy change, everything shifted.
The tech industry should focus on getting rid of passwords. That’s something users can get behind. That’s something security professionals can get behind. And that’s doing something different.