• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Password Security The Windows 8 Way

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
15,029 (3.93/day)
Likes
8,667
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K at stock (hits 5 gees+ easily)
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (4 x 4GB Corsair Vengeance DDR3 PC3-12800 C9 1600MHz)
Video Card(s) Zotac GTX 1080 AMP! Extreme Edition
Storage Samsung 850 Pro 256GB | WD Green 4TB
Display(s) BenQ XL2720Z | Asus VG278HE (both 27", 144Hz, 3D Vision 2, 1080p)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Software Windows 10 Pro 64-bit
#1
Windows 8 implements a radical new user interface called Metro for desktop PC's, which has so far received a mixed reception. However, there's many other changes under the hood and one of those is how password security is handled, which we look at here. It's a fact of life, that in today's modern world, we have to remember a plethora of passwords and PIN's, which can be daunting. This leads to security issues as users end up writing down passwords and/or create very insecure ones which can be easily guessed. Windows 8 aims to uphold strong password security, while at the same time, easing the burden on the user. Also, passwords can be obtained in various ways by miscreants, such as phishing, keylogging, guessing, and cracking. Windows addresses each of these problems in three main ways:

1 Protect against phishing and keylogging

Using these tools protects your computer against the kind of malware that can access your entire computer, such as viruses and trojans.

1A: Secure boot: this uses the new Unified Extensible Firmware Interface (UEFI), which replaces the ancient BIOS in modern motherboards and uses digital signing, which blocks bootkits and rootkits from attacking the system at the lowest level.

1B: SmartScreen: this warns against visiting known bad websites or running suspect applications. It builds up a picture of which are good and bad by using a reputation system.

1C: Windows Defender: previously protecting against just viruses, it has now been expanded into a full security suite, protecting against the usual suspects, such as viruses, worms, bots and rootkits.


2 Protect against guessing and cracking

Long and complex passwords do wonders for security and make system admins very happy. However, they're a nightmare for users to remember and type in - even for the admin... Windows 8 eases the task of creating, using and managing unique and complex passwords.

2A: Store accounts: centralized store for logins to various websites. This is similar in the way that web browsers store this information, except that being done in Windows, it's available to any other or application or browser that can make use of it.

2B: Sync passwords: you have 100 logins stored on your home PC, but are now using your friend's PC and can't get to them – very inconvenient. Windows 8 uses Windows Live to allow password synchronization between the two PC's – assuming the second PC is trusted.

2C: Virtual smart card: this is a software-based version of a smartcard. It uses the Trusted Platform Module found in many business PC's and some motherboards for DIY PC's and works wherever physical smart cards work


3 Protect against your own forgetfulness

Users shy away from using strong passwords, because they're likely to forget them, especially if they have many to remember. Windows 8 makes it easier to recover from a forgotten password.

3A: USB recovery: passwords are stored in an encrypted USB memory stick that can be used should a password be forgotten.

3B: Reset from another PC: you can reset your password from any PC using Windows Live.

3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address


ANALYSIS

These features all sound wonderful and will indeed make life much easier for the user. However, some of these features would actually appear to potentially create a large attack surface for miscreants to have a pop at. Let's take a look at them:

2A: Store accounts: so any web browser and application can use the information stored here? An application such as that virus which just got onto the PC perhaps? This is a problem, because nothing is 100% secure, regardless of how many layers of security are put in. This feature might be best left switched off. It's also best not to allow any web browser to remember logins, either.

2B: Sync passwords: this requires the second PC to be clean of infection and properly trusted. By "trust", this also means the physical security around it, such that the user isn't shoulder surfed, for example. Use with caution.

2C: Virtual smart card: the details of this would have to be looked into a little more carefully to weigh up the pros and cons of this system. One potential issue could be the versions of the TPM module on the motherboard and smartcards used, as they may not have directly equivalent features, meaning that security compromises might have to be made. The user should be made well aware of any compromises like this before being asked to use this feature.

3B: Reset from another PC: again, how secure is that other PC and the environment it's situated in? Use with caution.

As Windows 8 isn't even at the beta stage yet, firm conclusions and criticisms shouldn't be made right now. However, the issues pointed out are inherent in the feature being implemented and should therefore be monitored very carefully.

Source: PC World
 
Last edited:
Joined
Jun 3, 2007
Messages
22,482 (5.61/day)
Likes
9,010
Location
'Merica. The Great SOUTH!
System Name TheMailbox 5.0 / The Mailbox 4.5
Processor RYZEN 1700X / Intel i7 2600k @ 4.2GHz
Motherboard Fatal1ty X370 Gaming K4 / Gigabyte Z77X-UP5 TH Intel LGA 1155
Cooling MasterLiquid PRO 280 / Scythe Katana 4
Memory ADATA RGB 16GB DDR4 2666 16-16-16-39 / G.SKILL Sniper Series 16GB DDR3 1866: 9-9-9-24
Video Card(s) MSI 1080 "Duke" with 8Gb of RAM. Boost Clock 1847 MHz / ASUS 780ti
Storage 256Gb M4 SSD / 128Gb Agelity 4 SSD , 500Gb WD (7200)
Display(s) LG 29" Class 21:9 UltraWide® IPS LED Monitor 2560 x 1080 / Dell 27"
Case Cooler Master MASTERBOX 5t / Cooler Master 922 HAF
Audio Device(s) Realtek ALC1220 Audio Codec / SupremeFX X-Fi with Bose Companion 2 speakers.
Power Supply Seasonic FOCUS Plus Series SSR-750PX 750W Platinum / SeaSonic X Series X650 Gold
Mouse SteelSeries Sensei (RAW) / Logitech G5
Keyboard Razer BlackWidow / Logitech (Unknown)
Software Windows 10 Pro (64-bit)
Benchmark Scores Benching is for bitches.
#2
Much better Qubit. Bravo.

As for you fears all you have to do is look at
"3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address"

This is how google mail works. When they hack and reroute my home phone THEN Ill worry. Until then Windows 8 sounds more secure then anything else we have used thus far........except maybe linux lol
 
Likes: qubit

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
15,029 (3.93/day)
Likes
8,667
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K at stock (hits 5 gees+ easily)
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (4 x 4GB Corsair Vengeance DDR3 PC3-12800 C9 1600MHz)
Video Card(s) Zotac GTX 1080 AMP! Extreme Edition
Storage Samsung 850 Pro 256GB | WD Green 4TB
Display(s) BenQ XL2720Z | Asus VG278HE (both 27", 144Hz, 3D Vision 2, 1080p)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Software Windows 10 Pro 64-bit
#3
Thanks, MM :toast:

Indeed that two-factor authentication is excellent, which is why I didn't flag it up in my analysis of potential problems.
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (3.35/day)
Likes
5,524
Location
Cheeseland (Wisconsin, USA)
#4
Nice analysis.

2B: Sync passwords: you have 100 logins stored on your home PC, but are now using your friend's PC and can't get to them – very inconvenient. Windows 8 uses Windows Live to allow password synchronization between the two PC's – assuming the second PC is trusted.
3B: Reset from another PC: you can reset your password from any PC using Windows Live.
Without more details this seems somewhat questionable.
 
Likes: qubit
Joined
Dec 8, 2008
Messages
1,334 (0.39/day)
Likes
163
#5
2a: it's just making password manager part of the the os. Nothing new or dangerous. FOSS DEs had them for years.
 
Joined
Jul 20, 2008
Messages
4,016 (1.12/day)
Likes
900
Location
Ohio
System Name Desktop|| Virtual Host 0
Processor Intel Core i5 2500-K @ 4.3ghz || 2x Xeon L5630 (total 8 cores, 16 threads)
Motherboard ASUS P8Z68-V || Dell PowerEdge R710 (Intel 5520 chipset)
Cooling Corsair Hydro H100 || Stock hotplug fans and passive heatsinks
Memory 4x4gb Corsair Vengeance DDR3 1600 || 12x4gb Hynix DDR3 1066 FB-DIMMs
Video Card(s) MSI GTX 760 Gaming Twin Frozr 4GB OC || Don't know, don't care
Storage Hitachi 7K3000 2TB || 6x300gb 15k rpm SAS internal hotswap, 12x3tb Seagate NAS drives in enclosure
Display(s) ViewSonic VA2349S || remote iDRAC KVM console
Case Antec P280 || Dell PowerEdge R710
Audio Device(s) HRT MusicStreamer II+ and Focusrite Scarlett 18i8 || Don't know, don't care
Power Supply SeaSonic X650 Gold || 2x870w hot-swappable
Mouse Logitech G500 || remote iDRAC KVM console
Keyboard Logitech G510 || remote iDRAC KVM console
Software Win7 Ultimate x64 || VMware vSphere 6.0 with vCenter Server 6.0
Benchmark Scores Over 9000 on the scouter
#6
Great analysis, I completely agree on all the points. I'd also like to add that it's not a good idea for anybody to rely exclusively on USB recovery, because the USB device could be lost or stolen.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
15,029 (3.93/day)
Likes
8,667
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K at stock (hits 5 gees+ easily)
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (4 x 4GB Corsair Vengeance DDR3 PC3-12800 C9 1600MHz)
Video Card(s) Zotac GTX 1080 AMP! Extreme Edition
Storage Samsung 850 Pro 256GB | WD Green 4TB
Display(s) BenQ XL2720Z | Asus VG278HE (both 27", 144Hz, 3D Vision 2, 1080p)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Software Windows 10 Pro 64-bit
#7
Joined
Mar 26, 2008
Messages
1,874 (0.50/day)
Likes
334
Location
Cobourg,Ontario
System Name FX CrossFireX
Processor AMD FX™ 8370 @Stock
Motherboard GA-990FXA-UD5 (rev. 3.1
Cooling Noctua NH-D15 the BEAST
Memory AMD Radeon™ R5 Entertainment Series 16GB (2x8GB) DDR3-1600 MHz CL11 Part Number: R5316G1601U2K-G T
Video Card(s) MSI Gaming R9 390
Storage x3 Seagates 1Terabyte X1 Seagate 2Terabyte <Steam Install
Display(s) 40 Inch Samsung HDTV (monitor)
Case HAF-X:)
Audio Device(s) AMD/HDMI to Onkyo HT-R508 Receiver
Power Supply EVGA SuperNOVA 1000 G2 Power Supply
Software Windows 10 Pro X64
#8
Nice analysis.




Without more details this seems somewhat questionable.
You need a live account to log in to win8 at least it is now in the DP version.

Also the Microsoft Security Essentials will be a bootable from USB stick in Win8 too.So you have a clean (just update it on the usb)version if at all Win8 gets infected...there was a Win7 ver in beta for download ...will look Well it is Windows Defender ...Here is the link.http://windows.microsoft.com/en-US/windows/windows-defender-offline-faqdownload here 32bit and 64bit http://connect.microsoft.com/systemsweeper
 
Last edited:
Joined
Oct 2, 2004
Messages
13,070 (2.62/day)
Likes
6,347
Location
Europe\Slovenia
System Name Dark Silence 2
Processor Intel Core i7 5820K @ 4.5 GHz (1.15V)
Motherboard MSI X99A Gaming 7
Cooling Cooler Master Nepton 120XL
Memory 32 GB DDR4 Kingston HyperX Fury 2400 MHz @ 2666 MHz
Video Card(s) AORUS GeForce GTX 1080Ti 11GB
Storage Samsung 850 Pro 2TB SSD (3D V-NAND)
Display(s) ASUS VG248QE 144Hz 1ms (DisplayPort)
Case Corsair Carbide 330R Titanium
Audio Device(s) Creative Sound BlasterX AE-5 + Altec Lansing MX5021 (HiFi capacitors and OPAMP upgrade)
Power Supply BeQuiet! Dark Power Pro 11 750W
Mouse Logitech G502 Proteus Spectrum
Keyboard Cherry Stream XT Black
Software Windows 10 Pro 64-bit
#9
Though time will tell. Google's implementation of two step authentication was pain in the rear at first but they sort of worked it out now. I still miss SMS verification for every account settings entry but they apparently think that's not necessary. Because now, once verified, anyone can just log in and change the very critical phone number that does the verification and Google doesn't even bother to notify the previous number owner if he allows the modification. I hope Microsoft will think of such things as well...
 

Paulieg

The Mad Moderator
Joined
Feb 19, 2007
Messages
11,960 (2.91/day)
Likes
2,846
Location
Wherever I can find the iron.
Processor Haswell i7 4770K
Motherboard Gigabyte z79 UD5H Black Edition
Cooling Cryorig R1 Ultimate
Memory Gskill Trident DDR3 2400
Video Card(s) Asus 7970 Direct CU II
Storage Kingston Hyper Fury 240 SSD/ WD Black 640GB
Case Fractal Design R5
Power Supply XFX 650w
Software Win 7/Win 10 Tech preview
#10
Much better format, Q. Allows a reader to read the facts, then choose whether or not they want your thoughts on the matter. ;)
 
Joined
Sep 24, 2008
Messages
2,487 (0.70/day)
Likes
635
Location
Hillsboro, Oregon, USA
System Name Dire Wolf II
Processor Intel Core i7 7820HQ (2.9Ghz, up to 3.9Ghz)
Motherboard HP 8275
Memory 32GB DDR4 2400Mhz
Video Card(s) Asus GTX980Ti Strix 6GB GDDR5 (eGPU: AKiTiO Node Pro), nVidia Quadro M1200 (GTX750Ti) 4GB GDDR5
Storage HP NVMe 256GB
Display(s) HP Z27q (5120x2880) + Dell P2715Q (3840x2160)
Case HP ZBook 15 G4
Audio Device(s) Musiland Monitor 02 US, Skullcandy SLYR
Power Supply 150W HP PSU (for Laptop) + Corsair SF600 in the Node Pro
Mouse Corsair M65 Pro / Logitech G400
Keyboard Corsair K95 RGB
Software Windows 10 Enterprise 64-bit
#11
much better format, q. Allows a reader to read the facts, then choose whether or not they want your thoughts on the matter. ;)
+1!
 

brandonwh64

Addicted to Bacon and StarCrunches!!!
Joined
Sep 6, 2009
Messages
19,537 (6.14/day)
Likes
6,959
Location
Chatsworth, GA
System Name The StarCrunch Defender!
Processor I7 7700K @ STOCK
Motherboard AsRock Z270 Extreme 4 mATX
Cooling Corsair A70 Push/Pull
Memory Crucial Ballistix DDR4 2400 MHz OC'd to 3200Mhz
Video Card(s) EVGA GTX 1080TI SC2
Storage 2x Kingston 256GB M.2 PCIe SSD's in Raid 0 | 4TB Western Digital SATA drive
Display(s) LG 29Inch Ultra wide 2K
Case NZXT Vulcan
Audio Device(s) Onboard
Power Supply Corsair 750TX
Mouse Zowie EC1A
Keyboard Logitech G910 Gaming
Software Windows 10 Pro on both
#12
Much better Qubit. Bravo.

As for you fears all you have to do is look at
"3C: Two factor authentication: you can prove that you're the rightful owner of an account by linking it to a mobile phone or email address"

This is how google mail works. When they hack and reroute my home phone THEN Ill worry. Until then Windows 8 sounds more secure then anything else we have used thus far........except maybe linux lol
I dont think they can reroute unless they physically have your phone to verify the move right?
 
Joined
Feb 6, 2007
Messages
2,576 (0.62/day)
Likes
510
Processor Mysterious Engineering Prototype
Motherboard Intel 865
Cooling Custom block made in workshop
Memory Corsair XMS 2GB
Video Card(s) FireGL X3-256
Display(s) 1600x1200 SyncMaster x 2 = 3200x1200
Software Windows 2003
#13
It might be short, but you put a lot of time into it. Thanks for the NEWS and concise ANALYSIS
 
Likes: qubit
Top