I didn't realize just how much I blamed Microsoft for the current state of passwords until I sat down to write about their "passwordless future": https://puri.sm/posts/microsoft-ruined-passwords-now-aims-for-a-passwordless-future/
@kyle If I'm synopsizing this correctly: Microsoft bad because Microsoft encoded password-rotation recommendations into default AD policy.
That's ... a stretch.
And I'm no fan of Microsoft.
1) Password rotation recommendations go back a long way, and were considered best practices for decades. I remember them from the 1990s, and well before AD was a A Thing. AFAIU a some point they were recommended through entities such as NIST.
1/
@dredmorbius Summary is:
1. MS (and AD) strongly contributed to and enabled a culture of bad passwords. While they didn't invent bad password policy, their defaults and recs became gospel to many IT admin and AD enabled bad policy to scale, training a generation of computer users to make bad passwords.
2. "Passwordless future" enables vendor control of hardware, as auth is strongly tied to hardware security, which is anchored in trusted (signed by MS) software.
@kyle Point 1 is taken though that's still more a concern of enshrining bad and especially outdated policy.
Good policy is good. Bad policy is bad. Good policy administration is keeping tabs on when good policy becomes bad and fixing it.
I agree on your points re: passwordless future and lockin where that's based on devices. Keep in mind that Apple, Google, and Amazon are all racing down this path as well ("swipe" payments with smartphones, Siri, and Alexa, etc.)
That's an issue with lock-in. See Shapiro and Varian's late 1990s book, Information Rules.
(Note that Varian is now chief economist tat Google. Go figure.)