• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Password Security The Windows 8 Way

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,866 (3.00/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Windows 8 implements a radical new user interface called Metro for desktop PC's, which has so far received a mixed reception. However, there's many other changes under the hood and one of those is how password security is handled, which we look at here. It's a fact of life, that in today's modern world, we have to remember a plethora of passwords and PIN's, which can be daunting. This leads to security issues as users end up writing down passwords and/or create very insecure ones which can be easily guessed. Windows 8 aims to uphold strong password security, while at the same time, easing the burden on the user. Also, passwords can be obtained in various ways by miscreants, such as phishing, keylogging, guessing, and cracking. Windows addresses each of these problems in three main ways:

1 Protect against phishing and keylogging

Using these tools protects your computer against the kind of malware that can access your entire computer, such as viruses and trojans.

1A: Secure boot: this uses the new Unified Extensible Firmware Interface (UEFI), which replaces the ancient BIOS in modern motherboards and uses digital signing, which blocks bootkits and rootkits from attacking the system at the lowest level.

1B: SmartScreen: this warns against visiting known bad websites or running suspect applications. It builds up a picture of which are good and bad by using a reputation system.

1C: Windows Defender: previously protecting against just viruses, it has now been expanded into a full security suite, protecting against the usual suspects, such as viruses, worms, bots and rootkits.


2 Protect against guessing and cracking

Long and complex passwords do wonders for security and make system admins very happy. However, they're a nightmare for users to remember and type in - even for the admin... Windows 8 eases the task of creating, using and managing unique and complex passwords.

2A: Store accounts: centralized store for logins to various websites. This is similar in the way that web browsers store this information, except that being done in Windows, it's available to any other or application or browser that can make use of it.

2B: Sync passwords: you have 100 logins stored on your home PC, but are now using your friend's PC and can't get to them - very inconvenient. Windows 8 uses Windows Live to allow password synchronization between the two PC's - assuming the second PC is trusted.

2C: Virtual smart card: this is a software-based version of a smartcard. It uses the Trusted Platform Module found in many business PC's and some motherboards for DIY PC's and works wherever physical smart cards work


3 Protect against your own forgetfulness

Users shy away from using strong passwords, because they're likely to forget them, especially if they have many to remember. Windows 8 makes it easier to recover from a forgotten password.

3A: USB recovery: passwords are stored in an encrypted USB memory stick that can be used should a password be forgotten.

3B: Reset from another PC: you can reset your password from any PC using Windows Live.

3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address


ANALYSIS

These features all sound wonderful and will indeed make life much easier for the user. However, some of these features would actually appear to potentially create a large attack surface for miscreants to have a pop at. Let's take a look at them:

2A: Store accounts: so any web browser and application can use the information stored here? An application such as that virus which just got onto the PC perhaps? This is a problem, because nothing is 100% secure, regardless of how many layers of security are put in. This feature might be best left switched off. It's also best not to allow any web browser to remember logins, either.

2B: Sync passwords: this requires the second PC to be clean of infection and properly trusted. By "trust", this also means the physical security around it, such that the user isn't shoulder surfed, for example. Use with caution.

2C: Virtual smart card: the details of this would have to be looked into a little more carefully to weigh up the pros and cons of this system. One potential issue could be the versions of the TPM module on the motherboard and smartcards used, as they may not have directly equivalent features, meaning that security compromises might have to be made. The user should be made well aware of any compromises like this before being asked to use this feature.

3B: Reset from another PC: again, how secure is that other PC and the environment it's situated in? Use with caution.

As Windows 8 isn't even at the beta stage yet, firm conclusions and criticisms shouldn't be made right now. However, the issues pointed out are inherent in the feature being implemented and should therefore be monitored very carefully.

View at TechPowerUp Main Site
 
Last edited:

TheMailMan78

Big Member
Joined
Jun 3, 2007
Messages
22,599 (3.68/day)
Location
'Merica. The Great SOUTH!
System Name TheMailbox 5.0 / The Mailbox 4.5
Processor RYZEN 1700X / Intel i7 2600k @ 4.2GHz
Motherboard Fatal1ty X370 Gaming K4 / Gigabyte Z77X-UP5 TH Intel LGA 1155
Cooling MasterLiquid PRO 280 / Scythe Katana 4
Memory ADATA RGB 16GB DDR4 2666 16-16-16-39 / G.SKILL Sniper Series 16GB DDR3 1866: 9-9-9-24
Video Card(s) MSI 1080 "Duke" with 8Gb of RAM. Boost Clock 1847 MHz / ASUS 780ti
Storage 256Gb M4 SSD / 128Gb Agelity 4 SSD , 500Gb WD (7200)
Display(s) LG 29" Class 21:9 UltraWide® IPS LED Monitor 2560 x 1080 / Dell 27"
Case Cooler Master MASTERBOX 5t / Cooler Master 922 HAF
Audio Device(s) Realtek ALC1220 Audio Codec / SupremeFX X-Fi with Bose Companion 2 speakers.
Power Supply Seasonic FOCUS Plus Series SSR-750PX 750W Platinum / SeaSonic X Series X650 Gold
Mouse SteelSeries Sensei (RAW) / Logitech G5
Keyboard Razer BlackWidow / Logitech (Unknown)
Software Windows 10 Pro (64-bit)
Benchmark Scores Benching is for bitches.
Much better Qubit. Bravo.

As for you fears all you have to do is look at
"3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address"

This is how google mail works. When they hack and reroute my home phone THEN Ill worry. Until then Windows 8 sounds more secure then anything else we have used thus far........except maybe linux lol
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,866 (3.00/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Thanks, MM :toast:

Indeed that two-factor authentication is excellent, which is why I didn't flag it up in my analysis of potential problems.
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
Nice analysis.

2B: Sync passwords: you have 100 logins stored on your home PC, but are now using your friend's PC and can't get to them – very inconvenient. Windows 8 uses Windows Live to allow password synchronization between the two PC's – assuming the second PC is trusted.
3B: Reset from another PC: you can reset your password from any PC using Windows Live.

Without more details this seems somewhat questionable.
 
Joined
Dec 8, 2008
Messages
1,334 (0.24/day)
2a: it's just making password manager part of the the os. Nothing new or dangerous. FOSS DEs had them for years.
 
Joined
Jul 20, 2008
Messages
4,016 (0.70/day)
Location
Ohio
System Name Desktop|| Virtual Host 0
Processor Intel Core i5 2500-K @ 4.3ghz || 2x Xeon L5630 (total 8 cores, 16 threads)
Motherboard ASUS P8Z68-V || Dell PowerEdge R710 (Intel 5520 chipset)
Cooling Corsair Hydro H100 || Stock hotplug fans and passive heatsinks
Memory 4x4gb Corsair Vengeance DDR3 1600 || 12x4gb Hynix DDR3 1066 FB-DIMMs
Video Card(s) MSI GTX 760 Gaming Twin Frozr 4GB OC || Don't know, don't care
Storage Hitachi 7K3000 2TB || 6x300gb 15k rpm SAS internal hotswap, 12x3tb Seagate NAS drives in enclosure
Display(s) ViewSonic VA2349S || remote iDRAC KVM console
Case Antec P280 || Dell PowerEdge R710
Audio Device(s) HRT MusicStreamer II+ and Focusrite Scarlett 18i8 || Don't know, don't care
Power Supply SeaSonic X650 Gold || 2x870w hot-swappable
Mouse Logitech G500 || remote iDRAC KVM console
Keyboard Logitech G510 || remote iDRAC KVM console
Software Win7 Ultimate x64 || VMware vSphere 6.0 with vCenter Server 6.0
Benchmark Scores Over 9000 on the scouter
Great analysis, I completely agree on all the points. I'd also like to add that it's not a good idea for anybody to rely exclusively on USB recovery, because the USB device could be lost or stolen.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,866 (3.00/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Joined
Mar 26, 2008
Messages
1,877 (0.32/day)
Location
Cobourg,Ontario
System Name RyZen FX
Processor AMD Ryzen 9 5900x
Motherboard Gigabyte B550 Aorus Elite AX V2
Cooling DeepCool AK400 Zero Dark Plus
Memory Corsair CMK32GX4M2E3200C16 X2 32gig dual channel
Video Card(s) ASUS RX 7700XT TUF OC
Storage x2 Lexar SSD NM710 2TB 2XSeagate 1Terrabyte 1x Seagate 2 Terrabyte
Display(s) 40 Inch Samsung HDTV (monitor)
Case HAF-X:)
Audio Device(s) AMD/HDMI to Onkyo HT-R508 Receiver
Power Supply EVGA SuperNOVA 1000 G2 Power Supply
Software Windows 10 Pro X64
Nice analysis.




Without more details this seems somewhat questionable.

You need a live account to log in to win8 at least it is now in the DP version.

Also the Microsoft Security Essentials will be a bootable from USB stick in Win8 too.So you have a clean (just update it on the usb)version if at all Win8 gets infected...there was a Win7 ver in beta for download ...will look Well it is Windows Defender ...Here is the link.http://windows.microsoft.com/en-US/windows/windows-defender-offline-faqdownload here 32bit and 64bit http://connect.microsoft.com/systemsweeper
 
Last edited:
Joined
Oct 2, 2004
Messages
13,791 (1.94/day)
Though time will tell. Google's implementation of two step authentication was pain in the rear at first but they sort of worked it out now. I still miss SMS verification for every account settings entry but they apparently think that's not necessary. Because now, once verified, anyone can just log in and change the very critical phone number that does the verification and Google doesn't even bother to notify the previous number owner if he allows the modification. I hope Microsoft will think of such things as well...
 
Joined
Feb 19, 2007
Messages
12,453 (1.99/day)
Location
Yankee lost in the Mountains of East TN
Processor 5800x(2)/5700g/5600x/5600g/2700x/1700x/1700
Motherboard MSI B550 Carbon (2)/ MSI z490 Unify/Asus Strix B550-F/MSI B450 Tomahawk (3)
Cooling EK AIO 360 (2)/EK AIO 240, Arctic Cooling Freezer II 280/EVGA CLC 280/Noctua D15/Cryorig M9(2)
Memory 32 GB Ballistix Elite/32 GB TridentZ/16GB Mushkin Redline Black/16 GB Dominator
Video Card(s) Asus Strix RTX3060/EVGA 970(2)/Asus 750 ti/Old Quadros
Storage Samsung 970 EVO M.2 NVMe 500GB/WD Black M.2 NVMe 500GB/Adata 500gb NVMe
Display(s) Acer 1080p 22"/ (3) Samsung 22" 1080p
Case (2) Lian Li Lancool II Mesh/Corsair 4000D /Phanteks Eclipse 500a/Be Quiet Pure Base 500/Bones of HAF
Power Supply EVGA Supernova 850G(2)/EVGA Supernova GT 650w/Phantek Amps 750w/Seasonic Focus 750w
Mouse Generic Black wireless (5)
Keyboard Generic Black wireless (5)
Software Win 10/Ubuntu
Much better format, Q. Allows a reader to read the facts, then choose whether or not they want your thoughts on the matter. ;)
 
Joined
Sep 24, 2008
Messages
2,665 (0.47/day)
System Name Dire Wolf IV
Processor Intel Core i9 14900K
Motherboard Asus ROG STRIX Z790-I GAMING WIFI
Cooling Arctic Liquid Freezer II 280
Memory 2x24GB Corsair DDR5 6667
Video Card(s) NVIDIA RTX4080 FE
Storage AORUS Gen4 7300 1TB + Western Digital SN750 500GB
Display(s) Alienware AW3423DWF (QD-OLED, 3440x1440, 165hz)
Case Corsair Airflow 2000D
Power Supply Corsair SF1000L
Mouse Razer Deathadder Essential
Keyboard Chuangquan CQ84
Software Windows 11 Professional
much better format, q. Allows a reader to read the facts, then choose whether or not they want your thoughts on the matter. ;)

+1!
 

brandonwh64

Addicted to Bacon and StarCrunches!!!
Joined
Sep 6, 2009
Messages
19,542 (3.68/day)
Much better Qubit. Bravo.

As for you fears all you have to do is look at
"3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address"

This is how google mail works. When they hack and reroute my home phone THEN Ill worry. Until then Windows 8 sounds more secure then anything else we have used thus far........except maybe linux lol

I dont think they can reroute unless they physically have your phone to verify the move right?
 

Completely Bonkers

New Member
Joined
Feb 6, 2007
Messages
2,576 (0.41/day)
Processor Mysterious Engineering Prototype
Motherboard Intel 865
Cooling Custom block made in workshop
Memory Corsair XMS 2GB
Video Card(s) FireGL X3-256
Display(s) 1600x1200 SyncMaster x 2 = 3200x1200
Software Windows 2003
It might be short, but you put a lot of time into it. Thanks for the NEWS and concise ANALYSIS
 
Top