Monday, December 19th 2011

Password Security The Windows 8 Way

Windows 8 implements a radical new user interface called Metro for desktop PC's, which has so far received a mixed reception. However, there's many other changes under the hood and one of those is how password security is handled, which we look at here. It's a fact of life, that in today's modern world, we have to remember a plethora of passwords and PIN's, which can be daunting. This leads to security issues as users end up writing down passwords and/or create very insecure ones which can be easily guessed. Windows 8 aims to uphold strong password security, while at the same time, easing the burden on the user. Also, passwords can be obtained in various ways by miscreants, such as phishing, keylogging, guessing, and cracking. Windows addresses each of these problems in three main ways:

1 Protect against phishing and keylogging

Using these tools protects your computer against the kind of malware that can access your entire computer, such as viruses and trojans.

1A: Secure boot: this uses the new Unified Extensible Firmware Interface (UEFI), which replaces the ancient BIOS in modern motherboards and uses digital signing, which blocks bootkits and rootkits from attacking the system at the lowest level.

1B: SmartScreen: this warns against visiting known bad websites or running suspect applications. It builds up a picture of which are good and bad by using a reputation system.

1C: Windows Defender: previously protecting against just viruses, it has now been expanded into a full security suite, protecting against the usual suspects, such as viruses, worms, bots and rootkits.


2 Protect against guessing and cracking

Long and complex passwords do wonders for security and make system admins very happy. However, they're a nightmare for users to remember and type in - even for the admin... Windows 8 eases the task of creating, using and managing unique and complex passwords.

2A: Store accounts: centralized store for logins to various websites. This is similar in the way that web browsers store this information, except that being done in Windows, it's available to any other or application or browser that can make use of it.

2B: Sync passwords: you have 100 logins stored on your home PC, but are now using your friend's PC and can't get to them – very inconvenient. Windows 8 uses Windows Live to allow password synchronization between the two PC's – assuming the second PC is trusted.

2C: Virtual smart card: this is a software-based version of a smartcard. It uses the Trusted Platform Module found in many business PC's and some motherboards for DIY PC's and works wherever physical smart cards work


3 Protect against your own forgetfulness

Users shy away from using strong passwords, because they're likely to forget them, especially if they have many to remember. Windows 8 makes it easier to recover from a forgotten password.

3A: USB recovery: passwords are stored in an encrypted USB memory stick that can be used should a password be forgotten.

3B: Reset from another PC: you can reset your password from any PC using Windows Live.

3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address


ANALYSIS

These features all sound wonderful and will indeed make life much easier for the user. However, some of these features would actually appear to potentially create a large attack surface for miscreants to have a pop at. Let's take a look at them:

2A: Store accounts: so any web browser and application can use the information stored here? An application such as that virus which just got onto the PC perhaps? This is a problem, because nothing is 100% secure, regardless of how many layers of security are put in. This feature might be best left switched off. It's also best not to allow any web browser to remember logins, either.

2B: Sync passwords: this requires the second PC to be clean of infection and properly trusted. By "trust", this also means the physical security around it, such that the user isn't shoulder surfed, for example. Use with caution.

2C: Virtual smart card: the details of this would have to be looked into a little more carefully to weigh up the pros and cons of this system. One potential issue could be the versions of the TPM module on the motherboard and smartcards used, as they may not have directly equivalent features, meaning that security compromises might have to be made. The user should be made well aware of any compromises like this before being asked to use this feature.

3B: Reset from another PC: again, how secure is that other PC and the environment it's situated in? Use with caution.

As Windows 8 isn't even at the beta stage yet, firm conclusions and criticisms shouldn't be made right now. However, the issues pointed out are inherent in the feature being implemented and should therefore be monitored very carefully.Source: PC World
Add your own comment

12 Comments on Password Security The Windows 8 Way

#1
TheMailMan78
Banstick Dummy
Much better Qubit. Bravo.

As for you fears all you have to do is look at
"3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address"

This is how google mail works. When they hack and reroute my home phone THEN Ill worry. Until then Windows 8 sounds more secure then anything else we have used thus far........except maybe linux lol
Posted on Reply
#2
qubit
Overclocked quantum bit
Thanks, MM :toast:

Indeed that two-factor authentication is excellent, which is why I didn't flag it up in my analysis of potential problems.
Posted on Reply
#3
Kreij
Senior Monkey Moderator
Nice analysis.
2B: Sync passwords: you have 100 logins stored on your home PC, but are now using your friend's PC and can't get to them – very inconvenient. Windows 8 uses Windows Live to allow password synchronization between the two PC's – assuming the second PC is trusted.
3B: Reset from another PC: you can reset your password from any PC using Windows Live.
Without more details this seems somewhat questionable.
Posted on Reply
#4
pr0n Inspector
2a: it's just making password manager part of the the os. Nothing new or dangerous. FOSS DEs had them for years.
Posted on Reply
#5
theJesus
Great analysis, I completely agree on all the points. I'd also like to add that it's not a good idea for anybody to rely exclusively on USB recovery, because the USB device could be lost or stolen.
Posted on Reply
#6
qubit
Overclocked quantum bit
by: qubit
...versions of the TPU module on the motherboard...
Oops - Freudian slip?! :laugh: Fixed.
Posted on Reply
#7
H82LUZ73
by: Kreij
Nice analysis.




Without more details this seems somewhat questionable.
You need a live account to log in to win8 at least it is now in the DP version.

Also the Microsoft Security Essentials will be a bootable from USB stick in Win8 too.So you have a clean (just update it on the usb)version if at all Win8 gets infected...there was a Win7 ver in beta for download ...will look Well it is Windows Defender ...Here is the link.http://windows.microsoft.com/en-US/windows/windows-defender-offline-faqdownload here 32bit and 64bit http://connect.microsoft.com/systemsweeper
Posted on Reply
#8
RejZoR
Though time will tell. Google's implementation of two step authentication was pain in the rear at first but they sort of worked it out now. I still miss SMS verification for every account settings entry but they apparently think that's not necessary. Because now, once verified, anyone can just log in and change the very critical phone number that does the verification and Google doesn't even bother to notify the previous number owner if he allows the modification. I hope Microsoft will think of such things as well...
Posted on Reply
#9
Paulieg
The Mad Moderator
Much better format, Q. Allows a reader to read the facts, then choose whether or not they want your thoughts on the matter. ;)
Posted on Reply
#10
Yukikaze
by: paulieg
much better format, q. Allows a reader to read the facts, then choose whether or not they want your thoughts on the matter. ;)
+1!
Posted on Reply
#11
brandonwh64
Addicted to Bacon and StarCrunches!!!
by: TheMailMan78
Much better Qubit. Bravo.

As for you fears all you have to do is look at
"3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address"

This is how google mail works. When they hack and reroute my home phone THEN Ill worry. Until then Windows 8 sounds more secure then anything else we have used thus far........except maybe linux lol
I dont think they can reroute unless they physically have your phone to verify the move right?
Posted on Reply
#12
Completely Bonkers
It might be short, but you put a lot of time into it. Thanks for the NEWS and concise ANALYSIS
Posted on Reply
Add your own comment