1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Password Security The Windows 8 Way

Discussion in 'News' started by qubit, Dec 20, 2011.

  1. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,822 (4.04/day)
    Thanks Received:
    3,481
    Windows 8 implements a radical new user interface called Metro for desktop PC's, which has so far received a mixed reception. However, there's many other changes under the hood and one of those is how password security is handled, which we look at here. It's a fact of life, that in today's modern world, we have to remember a plethora of passwords and PIN's, which can be daunting. This leads to security issues as users end up writing down passwords and/or create very insecure ones which can be easily guessed. Windows 8 aims to uphold strong password security, while at the same time, easing the burden on the user. Also, passwords can be obtained in various ways by miscreants, such as phishing, keylogging, guessing, and cracking. Windows addresses each of these problems in three main ways:

    1 Protect against phishing and keylogging

    Using these tools protects your computer against the kind of malware that can access your entire computer, such as viruses and trojans.

    1A: Secure boot: this uses the new Unified Extensible Firmware Interface (UEFI), which replaces the ancient BIOS in modern motherboards and uses digital signing, which blocks bootkits and rootkits from attacking the system at the lowest level.

    1B: SmartScreen: this warns against visiting known bad websites or running suspect applications. It builds up a picture of which are good and bad by using a reputation system.

    1C: Windows Defender: previously protecting against just viruses, it has now been expanded into a full security suite, protecting against the usual suspects, such as viruses, worms, bots and rootkits.


    2 Protect against guessing and cracking

    Long and complex passwords do wonders for security and make system admins very happy. However, they're a nightmare for users to remember and type in - even for the admin... Windows 8 eases the task of creating, using and managing unique and complex passwords.

    2A: Store accounts: centralized store for logins to various websites. This is similar in the way that web browsers store this information, except that being done in Windows, it's available to any other or application or browser that can make use of it.

    2B: Sync passwords: you have 100 logins stored on your home PC, but are now using your friend's PC and can't get to them – very inconvenient. Windows 8 uses Windows Live to allow password synchronization between the two PC's – assuming the second PC is trusted.

    2C: Virtual smart card: this is a software-based version of a smartcard. It uses the Trusted Platform Module found in many business PC's and some motherboards for DIY PC's and works wherever physical smart cards work


    3 Protect against your own forgetfulness

    Users shy away from using strong passwords, because they're likely to forget them, especially if they have many to remember. Windows 8 makes it easier to recover from a forgotten password.

    3A: USB recovery: passwords are stored in an encrypted USB memory stick that can be used should a password be forgotten.

    3B: Reset from another PC: you can reset your password from any PC using Windows Live.

    3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address


    ANALYSIS

    These features all sound wonderful and will indeed make life much easier for the user. However, some of these features would actually appear to potentially create a large attack surface for miscreants to have a pop at. Let's take a look at them:

    2A: Store accounts: so any web browser and application can use the information stored here? An application such as that virus which just got onto the PC perhaps? This is a problem, because nothing is 100% secure, regardless of how many layers of security are put in. This feature might be best left switched off. It's also best not to allow any web browser to remember logins, either.

    2B: Sync passwords: this requires the second PC to be clean of infection and properly trusted. By "trust", this also means the physical security around it, such that the user isn't shoulder surfed, for example. Use with caution.

    2C: Virtual smart card: the details of this would have to be looked into a little more carefully to weigh up the pros and cons of this system. One potential issue could be the versions of the TPM module on the motherboard and smartcards used, as they may not have directly equivalent features, meaning that security compromises might have to be made. The user should be made well aware of any compromises like this before being asked to use this feature.

    3B: Reset from another PC: again, how secure is that other PC and the environment it's situated in? Use with caution.

    As Windows 8 isn't even at the beta stage yet, firm conclusions and criticisms shouldn't be made right now. However, the issues pointed out are inherent in the feature being implemented and should therefore be monitored very carefully.

    Source: PC World
    Last edited: Dec 20, 2011
  2. TheMailMan78

    TheMailMan78 Big Member

    Joined:
    Jun 3, 2007
    Messages:
    20,904 (7.99/day)
    Thanks Received:
    7,489
    Much better Qubit. Bravo.

    As for you fears all you have to do is look at
    "3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address"

    This is how google mail works. When they hack and reroute my home phone THEN Ill worry. Until then Windows 8 sounds more secure then anything else we have used thus far........except maybe linux lol
    qubit says thanks.
  3. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,822 (4.04/day)
    Thanks Received:
    3,481
    Thanks, MM :toast:

    Indeed that two-factor authentication is excellent, which is why I didn't flag it up in my analysis of potential problems.
  4. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.08/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    Nice analysis.

    Without more details this seems somewhat questionable.
    qubit says thanks.
  5. pr0n Inspector

    pr0n Inspector

    Joined:
    Dec 8, 2008
    Messages:
    1,332 (0.65/day)
    Thanks Received:
    164
    2a: it's just making password manager part of the the os. Nothing new or dangerous. FOSS DEs had them for years.
  6. theJesus

    theJesus

    Joined:
    Jul 20, 2008
    Messages:
    3,965 (1.80/day)
    Thanks Received:
    859
    Location:
    Ohio
    Great analysis, I completely agree on all the points. I'd also like to add that it's not a good idea for anybody to rely exclusively on USB recovery, because the USB device could be lost or stolen.
  7. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,822 (4.04/day)
    Thanks Received:
    3,481
    Oops - Freudian slip?! :laugh: Fixed.
    theJesus says thanks.
  8. H82LUZ73

    H82LUZ73

    Joined:
    Mar 26, 2008
    Messages:
    1,782 (0.77/day)
    Thanks Received:
    265
    Location:
    Cobourg,Ontario
    You need a live account to log in to win8 at least it is now in the DP version.

    Also the Microsoft Security Essentials will be a bootable from USB stick in Win8 too.So you have a clean (just update it on the usb)version if at all Win8 gets infected...there was a Win7 ver in beta for download ...will look Well it is Windows Defender ...Here is the link.http://windows.microsoft.com/en-US/windows/windows-defender-offline-faqdownload here 32bit and 64bit http://connect.microsoft.com/systemsweeper
    Last edited: Dec 20, 2011
  9. RejZoR

    RejZoR

    Joined:
    Oct 2, 2004
    Messages:
    4,471 (1.25/day)
    Thanks Received:
    876
    Location:
    Europe/Slovenia
    Though time will tell. Google's implementation of two step authentication was pain in the rear at first but they sort of worked it out now. I still miss SMS verification for every account settings entry but they apparently think that's not necessary. Because now, once verified, anyone can just log in and change the very critical phone number that does the verification and Google doesn't even bother to notify the previous number owner if he allows the modification. I hope Microsoft will think of such things as well...
  10. Paulieg

    Paulieg The Mad Moderator Staff Member

    Joined:
    Feb 19, 2007
    Messages:
    11,912 (4.38/day)
    Thanks Received:
    2,978
    Location:
    Wherever I can find the iron.
    Much better format, Q. Allows a reader to read the facts, then choose whether or not they want your thoughts on the matter. ;)
    Wile E and qubit say thanks.
  11. Yukikaze

    Yukikaze

    Joined:
    Sep 24, 2008
    Messages:
    2,309 (1.08/day)
    Thanks Received:
    481
    +1!
  12. brandonwh64

    brandonwh64 Addicted to Bacon and StarCrunches!!!

    Joined:
    Sep 6, 2009
    Messages:
    18,478 (10.32/day)
    Thanks Received:
    6,013
    Location:
    Chatsworth, GA
    I dont think they can reroute unless they physically have your phone to verify the move right?
    Crunching for Team TPU
  13. Completely Bonkers New Member

    Joined:
    Feb 6, 2007
    Messages:
    2,580 (0.94/day)
    Thanks Received:
    516
    It might be short, but you put a lot of time into it. Thanks for the NEWS and concise ANALYSIS
    qubit says thanks.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page