Microsoft wants Windows 8 users to log into their computers with a Microsoft account, not a standard old local user account. You can’t use much of the new user interface without a Microsoft account — you can’t even upgrade to Windows 8.1 without one. Along with this new focus on Microsoft accounts comes new security concerns. The account you use to log into your computer is now an online account and you need to worry about securing it.
There are advantages to using a Microsoft account, as it allows you to sync your settings, files, apps, and other data between your computers. You log into Macs and iPads with an Apple ID, Android devices and Chromebooks with a Google account, and now Windows with a Microsoft account.
Set a Strong, Unique Password
Microsoft accounts aren’t necessarily new. Many old types of accounts have been rebranded as Microsoft accounts. Whether it’s an old Hotmail account, a Windows Live ID, .NET Passport, Zune, Xbox Live, or any other old type of account run by Microsoft, it’s now a Microsoft account.
Because of this, there’s a good chance many Windows users are logging in with old accounts. Some Windows users may be logging into their Windows 8 systems with Hotmail accounts they created back in 1999, 15 years ago. A lot has happened in 15 years when it comes to password security.
It’s important to treat these new accounts seriously, with modern password practices. You should be using a strong password for your Microsoft account — but, most importantly, you should be using a unique password for your Microsoft account. Don’t re-use passwords, as a password leak at one site will make your account’s password worthless. If you need help managing passwords, you may want to use a password manager.
You can modify your Microsoft account’s password and other security information by logging into the Microsoft account dashboard at account.live.com.
Enable Two-Step Verification
Microsoft allows you to enable two-step verification, also known as two-factor authentication, to help secure your account. When someone attempts to log in with your username and password, they’ll need an additional verification code — for example, a code sent to you via and SMS message or generated via an app on your phone. To set this up, visit the Microsoft account dashboard and click the Security info tab.
From here, you can enable two-step verification and set up alternate ways Microsoft can contact you, such as phone numbers and alternate email addresses. You can use several different methods for two-step authentication, such as an SMS message or an authenticator app. If you have an iPhone or Android phone, you can even use the Google Authenticator app to generate verification codes for your Microsoft account.
This page also contains the other options you’d expect for managing two-factor authentication, such as per-app passwords for apps that don’t support two-factor authentications, recovery codes you can use to regain access to your account, and a list of trusted devices that don’t need verification codes.
Enter Recovery Information
From the same Security info page, you also have the ability to provide phone numbers and email addresses where Microsoft can reach you. Whether or not you want to use two-step verification, you should ensure that this information is correct. If you ever lose your password and can’t log in, you’ll be able to regain access to your account, if you have access to a phone number or email address specified here.
For this reason, it’s important to enter your data correctly, so you can regain access to your account. It’s also important to make sure no one else can gain access to your account — ensure the information is up to date and remove any email addresses or phone numbers you no longer have access to from here.
Have Security Notifications Delivered to Your Phone
Microsoft can send security notifications to your phone for important security events, such as when someone tries to gain access to your account. By default, these are emailed to your primary email address. However, you can also have them sent via SMS to your phone so you can get them immediately.
To set this up, visit the Notifications > Security page on the Microsoft account dashboard site. If you don’t see a phone number you can use, you’ll have to enter it elsewhere on the dashboard first.
Monitor Recent Activity
Microsoft recently added a Recent activity page to the Microsoft account dashboard. If you’ve used Gmail, it will seem familiar. The Recent Activity page lists where you’ve used your account, where you’ve logged in from, and other things that have happened. You’ll likely see that you’ve successfully logged in from your home location recently. If you see that someone successfully logged in from elsewhere, or that there are attempts to log in with incorrect passwords from a foreign location, you may have a problem. You can inform Microsoft that a login attempt is not you via a link from this page.
Note that the times displayed here depend on the time zone you enter on your Personal info page.
The Most Important Tip
The most important security tip we can give you is that you should treat your Microsoft account like the online account that it is. You can’t just log into your computer with the password “password” anymore — at least, not if you want to use a Microsoft account. This is insecure and means people can gain access to your Microsoft account and its data from anywhere in the world. Instead, you’ll have to treat your Microsoft account like you’d treat any other online service.
Luckily, there are ways to make this process less obnoxious. After you log into a device once, you can make it a trusted device and you won’t have to re-enter a two-step verification code each time. You can also set up a picture password or PIN on your Windows 8 device, so you can easily log in again without having to re-enter a long, complicated password. You’ll only be hassled the first time you log into a device.
Image Credit: K?rlis Dambr?ns on Flickr