What's new

Why doesn't Microsoft default to the 4 character Pin

You are comparing mobile operating system to fully fledged desktop environment, I don't know if OSX lets you login with 4 digit Pin, but I suspect it wouldn't be default login option there too. That said, you are also refering to desktop environment on Tablet- this argument is valid if your average product target is using device mostly for media consumption- iPad and iOS are designed around that, while Windows tablets actually arent that good with media consumption- try to find some decent metro video player in windows store.. Windows tablets are devices that can get job done, but they require some minimal interest on user side, as every operating system.

To be honest, I don't know why Pin is such a big issue, and options aren't that unaccessible, considering they can be opened directly from charms bar and default Start Menu layout includes them as a tile.
 
Setting a PIN does not reduce security in any meaningful way, especially if you pair it with other security measures, such as wiping the device after x number of invalid tries, or even just locking you out for 15 minutes after that time. Since the pin can be used only to log on to the device locally, and must be entered at the login screen, simple measure like the above effectively reduce the risk of being compromised to near zero since there is no way to remotely exploit it, no way to automate it, and no way to enter enough combinations in a time period that makes hacking it feasible.

OSX doesn't allow for a pin because Apple doesn't sell a device that requires you to use your password that isn't permanently attached to a full physical keyboard.
 
This will all be nullified with Windows implementation of Windows Hello.... reducing the need for any passwords or PINs to log in....
 
Setting a PIN does not reduce security in any meaningful way, especially if you pair it with other security measures, such as wiping the device after x number of invalid tries, or even just locking you out for 15 minutes after that time. Since the pin can be used only to log on to the device locally, and must be entered at the login screen, simple measure like the above effectively reduce the risk of being compromised to near zero since there is no way to remotely exploit it, no way to automate it, and no way to enter enough combinations in a time period that makes hacking it feasible.
I cannot agree with that premise and our Security department will not allow the use of 4 digit pins.

Analysis reveals fully 26% of pins use 1 of 20 sequences and a little investigation will give you a great change of getting it even if it's not one of those.
http://www.datagenetics.com/blog/september32012/

Yes hackers CAN read.
 
I cannot agree with that premise and our Security department will not allow the use of 4 digit pins.

Analysis reveals fully 26% of pins use 1 of 20 sequences and a little investigation will give you a great change of getting it even if it's not one of those.
http://www.datagenetics.com/blog/september32012/

Yes hackers CAN read.

It'd still be an individual choice or just be removed by group policy so the option's not even available. It would be trivial through group policy to make those combinations off limits, and then wipe the device after 10 wrong tries (or, as a lesser measure, lock you out, or just require the full password after a certain number of tries). Plenty of ways to maintain security while increasing convenience for end users who may be logging in dozens of times a day.
 
Most devices have a timeout on incorrect attempts after which it resets and you can keep trying as many times as needed as long as your patient. Of course consumers don't have group policy but you can also make the pin requirement more that 4 digits or alphanumeric on some systems with your mobile device management solution. Regardless your base consumer is left to their own devices on moving past the defaults.
 
There are a couple of things to remember:

1. Most end users will not spend their time on forums and are not necessarily tech savvy so something that is easy for you and I isn't easy for everyone. They expect it to work out of the box.

2. Usability is one of the most important aspects of consumer devices. The sole reason iOS gained so much market share when it came out was because the other manufacturers were focussed on features and not on usability. They released a watered down feature set with far better usability and gained a massive market share as a result.

3. When it comes to tablet devices, users expect them to work out of the box. They don't want to install things, change settings or anything else, their first impressions start when they log onto the device for the first time so if you provide them with something that is more cumbersome, their first reaction is "This device is crap" not "What can I do to fix this". If you have a combination login (alphanumeric), the on screen keyboard is extremely cumbersome and time consuming to log in, and as I mentioned in my initial post, almost every non-tech savvy person I have come across with the surface wasn't even aware that there was a 4 digit password option, so they didn't even know to go looking in settings. Some even wanted to switch off the password because they found it so annoying and weren't aware of the easier option.

If Microsoft want to play in this area of the market and show they are serious, they have to provide a user experience that is comparable to the other devices on the market and most of those walk you through a process of setting up your device which includes the Pin. That's a simple reality of the market. It's something that's easy to change. The competitors invest an incredible amount into usability testing and improvements, and the whole purpose of Windows 10 is about improving usability.

You are blowing this pretty far out of proportion.

I've supported hundreds of everyday Joe's in my IT career, and have never even one time had someone complain to me about the difficulty of managing a password, or not having a PIN as an option.

As far as your comment at the end of point number 1, honestly, anyone that has ever bought or inherited a new device, definitely doesn't expect it to "work out of the box". Even with you citing Apple as some kind of preferable experience to Microsoft, when you fire up a new iPhone, first it's select your language, then location services, then diagnostic reports settings, then connect to WiFi, then choose Standard or Zoom view, then select a PIN, then enroll your fingerprints, then log into iTunes, then log into iCloud... THEN maybe you can get to the desktop. A much better experience for me is signing into my SP3 for the first time, with my Microsoft account, and then a big sucking sound as all my apps and settings and files are pulled down from OneDrive. So to me, it sounds like in this area at least Micrsosoft could school some other devices in the market.

Just my .02.

*Full disclosure I use an iPhone 6.
 
I have to wonder what kind of password policies you enforce if you've never had a user complain about passwords!

Also, I had no problem with my long complex password until I tried using the Surface as an actual mobile tablet for my job. At that point, entering all those characters every time the device went off for any reason (which on the Surface is every few minutes, at least when on battery) became untenable. A pin is the only thing that really makes it usable for me out in the field.
 
I have to wonder what kind of password policies you enforce if you've never had a user complain about passwords!

Also, I had no problem with my long complex password until I tried using the Surface as an actual mobile tablet for my job. At that point, entering all those characters every time the device went off for any reason (which on the Surface is every few minutes, at least when on battery) became untenable. A pin is the only thing that really makes it usable for me out in the field.

"Everyday Joe's" = mom and pops and students etc in my side work. Not the corporate people ;)
 
We get it, the bias is dripping. We just don't agree that the default answer for all users is to give them the lowest common denominator solution. Because many will not make any effort to change the default you damn them to the lowest security by default. I believe that even the dumbest user can do better than the lowest common denominator.

And in doing so, you put users in a position where they are likely to switch off the password altogether which is worse. I'd much rather see people using a 4 character pin than not at all.

If it's a requirement for network security to have it enabled, then the IT person in the organisation can set it up as part of the internal setup process.

Either way, it's easier for an IT person to change it than a person who has no experience.

But if it's that much of an issue, why not at least offer the user the option as part of the setup? Wouldn't it at least make sense to give the user the option instead of defending a decision which adversely affects the usability of the device and makes it difficult for the vast majority of users who don't actually want to change settings to make things work?

As for the comment about the bias dripping, give me a break. You sound like one of those "it's not a bug, it's a feature" kind of people. It's the exact nature of this approach to Windows that has stunted the product to date because people mindlessly defend decisions by Microsoft.

Despite the fact that I like my SP3, I would still like to see the product improve and I would like to see usability improve because I think the usability leaves a lot to be desired. The fact that Windows 10 addresses the usability considerably supports this statement and has nothing to do with bias.
 
I have to wonder what kind of password policies you enforce if you've never had a user complain about passwords!

Also, I had no problem with my long complex password until I tried using the Surface as an actual mobile tablet for my job. At that point, entering all those characters every time the device went off for any reason (which on the Surface is every few minutes, at least when on battery) became untenable. A pin is the only thing that really makes it usable for me out in the field.

If you entered options once, i don't know- out of curiosity for example, pin isn't hard to configure + windows lets you choose after what time it requires password to wake. Just saying... It's not that this option is concealed and you have to edit registry to access it. I have picture password set for time whens I'm on the go and need to switch back and forth from smartphone to tablet, as I find it even more convenient than Pin.
 
Despite the fact that I like my SP3, I would still like to see the product improve and I would like to see usability improve because I think the usability leaves a lot to be desired. The fact that Windows 10 addresses the usability considerably supports this statement and has nothing to do with bias.

I'm afraid that by adressing usability that much it won't be very well suited for tablet use anymore, but it's a sidenote.
 
Back
Top