Republished on May 31 with a new attack on Microsoft account passwords.
Microsoft wants to delete passwords for its billion-plus users, now “the password era is ending” and set against the backdrop of hundreds of millions of email addresses and passwords being stolen. “Bad actors know” passwords are finished, Microsoft says, “which is why they’re desperately accelerating password-related attacks while they still can.” All of which amplifies the risk for anyone yet to upgrade their account security.
In parallel, Microsoft is making another headline change, deleting passwords for millions of users just 8 weeks from now. Anyone using Microsoft Authenticator is being warned that “from August 2025, your saved passwords will no longer be accessible and any generated passwords not saved will be deleted.“ You must act now.
Here are your deadlines:
- “Starting June 2025, you will no longer be able to save new passwords in Authenticator.
- During July 2025, you will not be able to use autofill with Authenticator.
- From August 2025, your saved passwords will no longer be accessible in Authenticator.“
The company’s solution is to first move autofill and then any form of password management to Edge. “Your saved passwords (but not your generated password history) and addresses are securely synced to your Microsoft account, and you can continue to access them and enjoy seamless autofill functionality with Microsoft Edge.”
Microsoft has added an Authenticator splash screen with a “Turn on Edge” button as its ongoing campaign to switch users to its own browser continues. It’s not just with passwords, of course, there are the endless warnings and nags within Windows and even pointers within security advisories to switch to Edge for safety and security.
Microsoft says that “to continue to use generated passwords, save them from Generator history (via or from the Password tab) into your saved passwords,” and that “after July 2025, any payment information stored in Authenticator will be deleted from your device.” and “after August 2025, your saved passwords will no longer be accessible in Authenticator and any generated passwords not saved will be deleted.”
Ironically, Microsoft’s Authenticator will continue to support passkeys and that’s actually what all users should be doing now. Forget old school passwords and two-factor authentication (2FA), all critical accounts should have passkeys added where available, especially your Microsoft and Google accounts.
Microsoft wants users to delete passwords once that’s done, so no legacy vulnerability remains, albeit Google has not gone quite that far as yet. You do need to remove SMS 2FA though, and use an app or key-based code at a minimum.
FIDO‘s latest research reports that “over 35% of people had at least one of their accounts compromised due to password vulnerabilities… This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security.”
Notwithstanding these Authenticator changes, Microsoft users should use this as a prompt to delete passwords and replace them with passkeys, per the Windows-makers’ advice. This is especially true given increasing reports of two-factor authentication (2FA) bypasses that are increasingly rendering basics forms of 2FA redundant.
Microsoft accounts are now at risk from a new attack that has hijacked Google’s App Scripts to provide a veil of authenticity when sending malicious phishing emails. Per Cybersecurity News, the attack deploys “a fraudulent login window that mimics authentic Microsoft authentication interfaces.”
The original warning from Cofense is now picking up attention (1,2). The research team found an “attack [that] uses an email masquerading as an invoice, containing a link to a webpage that uses Google Apps Script, a development platform integrated across Google’s suite of products. By hosting the phishing page within Google’s trusted environment, attackers create an illusion of authenticity. This makes it easier to trick recipients into handing over sensitive information.”
While you can watch out for invoices hosted on “script[.]google[.]com,” which is how the attack manifests itself, the better advice is just to shore up your Microsoft accounts. If you use passkeys and delete account passwords — per the company’s advice to remove that legacy vulnerability — then you’ll be protected. In short, don’t move passwords from Authenticator, change how those accounts are secured instead.
Read the full article here
