It’s easy to assume your Windows account simply lets you sign in and out of Windows. However, the type of account you choose can have a significant effect on how Windows behaves. Here, we explain the differences between Microsoft and local accounts, so you can decide which is best for you.

Types of account

In Windows 7 and earlier, a local account (sometimes referred to as an offline account) was the only user account available. It is intended to be used on a single computer, which stores your account username, password and other details on its hard drive.

In contrast, a Microsoft account is stored online and can be used across multiple PCs. You’ll still be able to sign if your computer’s offline, so you won’t be locked out of Windows if your home network goes down or you’re working on your laptop while out and about.

Microsoft still gives you the option of setting up a local account, but it’s hidden away

Microsoft is keen to move users away from using a local account, begrudgingly lets you set one up when installing Windows (look for the ‘Offline account’ option hidden in the bottom corner of the sign in window). And if you do opt for it, Microsoft will hit you with all the benefits you’ve decided to forego with your choice. There are, without doubt, advantages to using a Microsoft account, but there are also drawbacks, as we will explain.

If you’re not sure which type of account you’re currently using, click Start, then the cog icon to open Settings and select Accounts. In the ‘Your info’ section, you’ll see your user account name. Below this, you’ll either see ‘Local account’ or, if you’re using a Microsoft account, the email address linked to your account.

Signing in & syncing

A Microsoft account makes it much easier to use the company’s other services within Windows. For example, as soon as you sign into your Microsoft account, you’ll also be signed into other services such as OneDrive, Skype and the Microsoft Store. With a local account, you’ll need to sign into these services individually.

A Microsoft account also syncs your Windows settings (such as your desktop theme, ease of access settings and even your Wi-Fi passwords) across all the computers you sign into. This is handy if you tend to use more than one computer or if you’re setting up a new one.

Additionally, you’ll be able to share your Windows Timeline (accessed by clicking the film-strip icon to the right of the Start button) with your other computers. This shows a record of which programs you’ve used and websites you’ve visited over the past few days. By default, it will only show websites viewed using Microsoft’s Edge browser, but the new Web Activities extension for Chrome also lets you sync your Chrome browsing history with your timeline.

This is great if you regularly use more than one computer and want everything synced, but it also lets anyone who logs in using your account see your emails, browsing history, synced files and more.

Security

A Microsoft account stores your password (albeit an encrypted copy of it) online. And while Microsoft has a pretty decent security record, so did many companies who have since been the victim of online security breaches. However, even if a hacker were to get hold of your Microsoft password, they couldn’t gain access to your home PC – unless they’d stolen that too. They would, however, have access to files that you had uploaded to OneDrive.

On the face of it, then, a local account may seem less risky, but it too contains security flaws. A relatively simple Command Prompt hack can let you (or anyone else) reset your local account password. Microsoft may have quietly fixed this vulnerability with the Windows 10 May update. When we tried the hack on a preview release, it no longer worked. Whether the fix makes the full update remains to be seen.

Set up security questions for your local account in case you need to reset your password

While we’re pleased to see that the hack may have been addressed, it did represent a way of accessing your local account if you’d forgotten your password. Because Microsoft doesn’t store local account passwords, it can’t reset them for you should yours slip your mind. A Microsoft account, on the other hand, lets you reset your password using the email address registered to your account.

If you decide to use a local account, we recommend you set up security questions – answer these correctly and you’ll be able to reset your password. To set these up, go to Settings, Accounts, ‘Sign-in options’, then scroll down on the right to the Password section and click ‘Update your security questions’.

You can make a Microsoft account more secure by setting up two-factor authentication (2FA). This means that whenever someone tries to sign into your account from a new location, a code will be sent to your phone that needs to be entered to gain access. To set this up, go to the Microsoft account security website and sign in (if you’re not already). At the bottom, click the ‘more security options’ link. From here, click ‘Set up two-step verification’ and follow the instructions.

Using a Microsoft account has other security benefits, including the ability to track your laptop should it be lost or stolen. If you run Windows 10 Pro, a Microsoft account will let you use its BitLocker drive encryption tool and store a copy of the recovery key (required if you need to access the contents of the drive after removing it from your computer) on Microsoft’s servers as a backup.

Privacy

When Microsoft accounts were first introduced with Windows 8, many users had concerns about privacy – specifically over the amount of data Microsoft would collect. In recent years, Microsoft has added settings to let you control how much you share, but it’s still easy to share more than you intended to. To stop sharing info about which programs you’ve opened and the websites you’ve visited, for example, go to Settings, Privacy, ‘Activity history’ and make sure the ‘Send my activity history to Microsoft’ is unticked.

Keep this option unticked unless you’re happy for your Windows usage data being sent to Microsoft

Using a local account helps prevent this type of data being sent to Microsoft. However, if you download an app from the Microsoft Store, for example, you’ll need to sign-in with a Microsoft Account – in which case, we recommend you changing the ‘Activity history’ setting as above.

Our verdict

There’s no doubt that a Microsoft account makes Windows easier to use. You don’t need to constantly sign into Microsoft services each time you want to use them and all your settings are synced across all your computers. And as long as you set up two-factor authentication, it’s secure and it provides a hassle-free way to reset your password should you forget it. Throw in those extra benefits, such as being able to track your laptop if you lose it, and it’s fair to say we go for a Microsoft account over an old-style local account every time.

That said, if you’ve no interest in using other Microsoft services (or prefer to sign into them individually) and would prefer not to store personal details online or share information with Microsoft, a local account will provide you with everything you need.

How to switch between accounts

Changing from a local account to a Microsoft one (or vice versa) is easy and you can do it as often as you like – and it won’t affect any of your personal files.

Switching to a local account

Go to Settings, Accounts, then make sure the ‘Your info’ section on the left is selected. Click the ‘Sign in with a local account instead’ link on the right. You’ll be asked to enter your current Microsoft account password, then choose a username and password. Click ‘Sign out and finish’ to continue (doing this will sign you out from all Microsoft services).

Switch to Microsoft account

Go to Settings, Accounts, then the ‘Your info’ section, and click the ‘Sign in with a Microsoft account instead’ link. You now need to enter your Microsoft account username and password. If you don’t already have an account, click ‘Create one’, then follow the instructions. Otherwise, enter your current local account password, then click Next. You’ll then be prompted to set up a PIN. This PIN is only stored on your PC and saves you from having to type your full Microsoft account password each time you want to login to Windows. At this point, we also recommend you set up two-factor authentication (as above).

British Airways (380,000 leaked user accounts), MyHeritage (92 million), Equifax (143 million). Just three examples of recent – and massive – data breaches. Even combined, they represent a small proportion of the billions of accounts hacked over the past few years. A timely reminder that, no matter how careful you are with your passwords, you can’t always rely on companies being as diligent.

What you can do, however, is make your password as difficult to crack as possible, so if you are the victim of a careless company your password won’t instantly give itself up.

Despite the advent of new biometric techniques (such as fingerprint, iris and face recognition), the majority of us still tend to use passwords to verify our identity online. And if you create your own passwords using similar terms (maiden names, pets, football teams, etc) rather than randomly generate them, as soon as one password has been stolen the rest become much easier to crack.

In this feature, we look at the methods hackers use to pilfer your passwords and how you can protect yourself against them. We’ll also explain how you can find out whether any of your passwords or other personal information has been leaked in a major data breach. Sad to say, but the chances are surprisingly high.

How are passwords stolen?

Most of us have been there. Struggling to remember one of our passwords, but bashing in those we use most in the hope of striking lucky. Then we see the dreaded message ‘Too many incorrect logins – account locked’. The silver lining, you might think, to this frustrating cloud is that someone trying to hack your password would suffer a similar fate.

A locked-out message might be infuriating for you, but it’s no problem for hackers

Sadly, this isn’t how the world works. Most passwords are cracked by hackers working offline, having already ‘acquired’ a database of user accounts. They will then use various methods to crack the accounts’ passwords. The only time they’ll ever try to log into your account is when they’ve already got your password. So while a limit on login attempts helps prevent people casually trying to access your accounts, it’s useless if your account details have been leaked.

How passwords are ‘hashed’

The good news is that even hackers who have access to a database of account details can’t see the actual passwords as plain text. Any reputable website won’t ever store your password. Instead, they use an algorithm to convert it into a unique, fixed-length block of data, known as a hash.

For example, using one very popular cryptographic algorithm – SHA256, which was developed by the US National Security Agency – the much-used password ‘P@SSWOrd‘ generates a 64-character hash starting ‘BO3DDF3C…’.

This particular password will always create this unique hash, meaning a website can compare it to the hash of the password you enter when you log in – if the two match, you’re allowed in. You can see how it works by generating SHA256 hashes on the Password Generator website. Notice that when you alter a single character, the hash changes completely.

Securing passwords with a pinch of salt

Hashing lets websites store your passwords securely because it’s impossible to reverse-engineer them, but hackers can still use any number of techniques to work out your password. How easy this is depends on how complex your password is and the methods used by the website to generate its hash.

Password Generator uses the SHA256 algorithm to make unique 64-character hashes

To make it harder for hackers to use rainbow tables (databases of leaked passwords) to work out a password from its hash, most websites generate a series of random characters and add them to your password before creating the hash – a process known as ‘salting’.

Using a salt of aE92@3′ (most are far more complex than this), our earlier password of P@ssword‘ becomes ‘aE92@3P@assword‘. Because this generates a completely different hash, it’s highly unlikely it will exist in a rainbow table and will, therefore, be much harder to crack. To increase security, the website will use a different salt for each user.

How to check if your passwords have been stolen

When your passwords (or any other personal information) have been leaked, they normally end up being added to huge databases on the dark web. Trying to locate these to find out whether you’ve been a victim not only takes ages, but is also risky because they’re typically listed on criminal websites. Thankfully, there are safe websites you can use instead.

Have I Been Pwned? (HIBP) was created in 2013 by Australian security expert Troy Hunt. It’s home to a database of over five billion hacked (or ‘pwned’) email accounts from the many leaks that have occurred over the years. You can also search its database using Mozilla’s Firefox Monitor tool, launched last month.

Hacked Emails (run by US-Spanish security firm 4IQ) and BreachAlarm (run by Australian firm Avalanche), are two popular alternatives. All three sites scan for new data leaks by monitoring sites on the dark web and websites such as Pastebin, where hackers post leaked account details. This data is then combined into a single, searchable database.

The sites use similar methods to check whether an email address was part of a data breach – simply type it into the box on the home page then press Enter. While HIBP and BreachAlarm show instant results, Hacked Emails sends a link to the email address you entered, restricting you to running password scans only on addresses you can access.

According to HIBP, our email is linked with two breaches that leaked our password and more

We tested the sites using the same email address – an old Gmail account we no longer use. Both HIBP and Hacked Emails reported that it was part of the Adobe (2013) and Dropbox (2012) breaches – though the former went further by specifying the type of information that was leaked. HIBP also said the address was made available through the Onliner spambot in 2017. Both also listed several ‘unverified’ leaks from unknown sources.

In contrast, BreachAlarm simply said our email address has been leaked “at least 2 times”, with the latest being August 2016. This was disappointingly vague, but it’s still worth trying BreachAlarm because it uses different databases of leaked emails. Between all three sites, you’ll probably find out whether your email account has been hacked.

Run searches for your password

As well as email addresses, HIBP lets you check whether your password has been leaked. Head here or click the Passwords menu from the main HIBP site, then type your password.

We’ve no doubt that HIBP can be trusted, but searching your current password isn’t without risk. Although unlikely, hackers might be able to steal it if they attack HIBP and install keylogger malware.

We, therefore, recommend against using a current password. Instead, try running searches for your old passwords, or simply use it to find out how common certain passwords are. For instance, ‘654321’ has been leaked nearly one million times, while ‘P@ssw0rd’ nearly 50,000 times.

If you do check a current password and find it’s been leaked, there’s no way of telling whether it belonged to you or someone else (the simpler the password, the more it would have been used by other people). Regardless, you should still change it immediately. If the password has been seen online even just once, it will be included in rainbow tables, making it easier to crack.

What to do if your data has been leaked

If your details have been leaked, check the date of the latest breach. If you’ve yet to change your password on the attacked site, do so immediately. Hackers are aware people often just add an extra character when changing their password, so make sure it’s completely different (don’t change ‘Ilovepasta’ to ‘Ilovepasta1’). And if you’ve reused the stolen password on other sites, change them there as well.

If you get the all-clear from these sites, it doesn’t mean your personal details have never been leaked. Lots of smaller data breaches go unreported, while some companies simply aren’t aware they’ve been attacked.

The best way to protect yourself is to use strong passwords and, ideally, a password manager. Also consider signing up to HIBP’s monitoring service, which will email you if your details appear in a new leak. Click ‘Notify me’ at the top of the website, then enter the email address you want to monitor.