For years, Microsoft has hammered away at the security flaws in its desktop operating system. Now the company is looking to plug another security hole: weak passwords.
Password imperfect
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
“For the moment, Microsoft’s plugging of that hole in its internal systems is not being carried over to its technology for consumers. People with password worries will have to wait and see whether the company puts any provisions in place in its software.”
This article and quote above represent the glaring facts regarding MS and it’s attitude towards security and it’s customers.
This is only a dodge to get our attention away from the serious problems currently plaguing it’s software.
Why be concerned with fixing our current issues? Let’s just sell the next gen of security devices and options that WILL make things better?
No. Customers both Enterprise and Consumer should speak up and demand that their INVESTMENT be supported with their protection and security in mind BY DEFAULT!
Why buy something new when the previous never got fixed in the first place?
Sorry this post sounds a bit angry (I’m really not). But how many times must the curtain fall exposing the wizard for what he is before we understand and stand up?
Our money needs to go elswhere than MS for them to get it.
How else will this get better?
i can take care of my own computer. will i still be able to choose if i use a password at all or not?
or is the decision in the microsoft hands? they sure make it difficult for themself.
a house build on sand will blow away, even if it has steel doors.
The last time I checked (XP SP1 or 2), windows still defaulted to having backwards compatibility for 7 char LM hashes. Meaning password789 is actually stored (and cracked) as ‘passwor’ and ‘d789’.
maybe you can take care of YOUR computer, but if you have to provide support for 1000+ workplaces with guys who even don’t know how to start their windows explorer, you would be happy with this.
in fact, everybody should love better security by using smart-cards, or better: biometric methods.
no reason to blame bad software, that’s ANOTHER issue.
I’m not really sure I see the big advantage here. If they use smart cards, people can steal the smart card and log in with it. At least with a password you can’t steal it.
One thing that’s struck me about passwords is the general dumb approach. Implement a password strength meter (Thunderbird springs to mind as doing this, there are certainly many others I can’t think of at present) and prevent users from having a weak password.
Whoever came up with the idea of forcing password changes didn’t help matters. I’ve seen an office where they have to change once a month; so what happens? They append the number of the month to the end of a short word. Or, even worse, they have to write it down because they keep forgetting the damn things.
Anonymous: I thought they were 8 char hashes? Nonetheless, it makes long passwords effectively useless. There’s some slight benefit to a 14/16 char one, but it’s nothing compared to a 10 char one with a single hash. Hopeless…
You obviously are unable to “take care” of your own computer if you think empty passwords are acceptable. The decision they have to make isnt hard, but obvious. No one should be allowed to have a blank password.
For years, Microsoft has hammered away at the security flaws in its desktop operating system.
Years? They sure fooled me. I think they going to need more than a smart card.
You obviously are unable to “take care” of your own computer if you think empty passwords are acceptable. The decision they have to make isnt hard, but obvious. No one should be allowed to have a blank password.
The point here is wether you can put the feature on or off or wether Microsoft (or whoever else) puts it up your throat. In PAM, one can put such feature on or off. In Windows XP as well. I don’t think they’re gonna force it up our throat but i do think they’re gonna market it heavily.
A single-user OS, not linked on a network, which runs for hobby, educational, or fun purposes could be fine without a password — for example. Even if you disagree, if someone finds a justified situation while its impossible, then thats a bad thing.
Ofcourse, its questionable wether the smartcard or biometric authentication alternatives are secure and wether they’re secure on their own or in combination with other security measures.
“I’m not really sure I see the big advantage here. If they use smart cards, people can steal the smart card and log in with it. At least with a password you can’t steal it.”
The smart cards should be used with a PIN (to stop others using them) it certainly was when I worked at a bank that used them. Though smart cards do have drawbacks I managed to get through 5 in 2 months and they cost £10 a time (I was told, might be less now, though it was only a year ago). For the record I managed to get through those cards by forgetting 1 (so was issued with another) 2 stopped working (possibly because I kept my card in the same pocket as my loose change) and on my last day I got my password wrong 3 times, so needed a new card, I don’t think they were too happy with me then.
Surely smart cards are only half a solution. If a system just requires you have a smart card, it’s not hard to see a way to get into someone else’s area: steal the thing!
You therefore need each smartcard to contain the real security key: password or some biometric. Either way, you are simply letting the would-be trespassers take away the only copy of the key to find out how to copy/change at their leisure, or you have another copy/a hash on the server, and the smart card becomes 100% redundant.
Am I missing something?
…the operating systems let people choose stuff like a random word or a name as a password.
If I were to program the password part of the system, I’d link the application to a Ispell dictionary and list of names, and have the program tell the user briskly that the chosen password is weak and suggest one composed of random alphanumeric characters of alternating case.
I don’t understand why this hasn’t been done yet.
Just switching to passphrases allows you to have an easily remembered password that is very secure. An example of how to create one would be found at Diceware: http://world.std.com/~reinhold/diceware.html
Or you can just come up with a long sentence that actually makes sense, like: “Whenever I see short passwords it makes me want to vomit!” Entopy is lowered, but keyspace is increased at a much greater rate. Throw some dates, times, and proper names into the sentence and you’ve got a ridiculously secure passphrase that almost anyone can remember.
I’m not really sure I see the big advantage here. If they use smart cards, people can steal the smart card and log in with it. At least with a password you can’t steal it.
That’s why you use *both*. A smartcard *and* a password. Same principle as the cashcard and PIN used by banks.
One thing that’s struck me about passwords is the general dumb approach. Implement a password strength meter (Thunderbird springs to mind as doing this, there are certainly many others I can’t think of at present) and prevent users from having a weak password.
Doesn’t work. Users have big problems generating sufficiently complex passwords and evern bigger problems remembering them. So you might end up with decent passwords, but they either get stuck under keyboards or in wallets, or you have a helpdesk overwhelmed with “I’ve forgotten my password” calls.
Whoever came up with the idea of forcing password changes didn’t help matters. I’ve seen an office where they have to change once a month; so what happens? They append the number of the month to the end of a short word. Or, even worse, they have to write it down because they keep forgetting the damn things.
Exactly. Passwords are an awful general purpose authentication tool because they’re hard to generate and hard to remember.
Anonymous: I thought they were 8 char hashes? Nonetheless, it makes long passwords effectively useless. There’s some slight benefit to a 14/16 char one, but it’s nothing compared to a 10 char one with a single hash. Hopeless…
This is a legacy support feature and is easily reconfigurable.
If I were to program the password part of the system, I’d link the application to a Ispell dictionary and list of names, and have the program tell the user briskly that the chosen password is weak and suggest one composed of random alphanumeric characters of alternating case.
I don’t understand why this hasn’t been done yet.
It has been done, it’s just optional.
Smartcards in conjunction with a pasword is not the only security method. Try fingerprint identification and a password. IBM had them on some of their ThinkPads I believe.
I was very impressed when we upgraded to w2k that i was able to use my user name as my password. I was never asked to change it either.
That’s the out of the box security i love.
It can be changed/erased quicker than the owner of the account could even enter it himself. – From Linux, or from Windows…
As pointed out in other posts, and by various research. The most secure password is a passphrase with good mnemonic quality. One particular strategy I liked was to compose the passwords of every first or last character in a known phrase. You get a seemingly random string of charcaters thats easy to remember.
But…
As computers get stronger the number of required password atoms increases and with that the time to input it.
The number of places requiring a password increases all the time. Thus the temptation to use the same password in all places increases. Give the password to one insecure site and you have a given away the key to your life.
My suggestion is to have a private key and a crypto enginge on a usb stick.
The first generation continues to trust the computer (vulnerable for man in the middle attacks, but so is passwords) and where a password dialog would previously be presented the user is now just requseted to authenticate, either by manipulating the usb device by buttons (ok button or pin) or fingerprint reader…
The second generation would bypass the computer and your ‘internet agent’ would instead forward requsts to you cell phone or other mobile device you trust.
The ‘internet agent’ is what I call a personal information server that serves information to authorized entities on demand (name, adress, email and that stuff) instead of those entities storing it in their databases. A pim subscription service…
Weak passwords are a problem (but not as big as bugs), and this might just be one of my conspiracy crazed ravings, but the first thing that came to mind when I read this was “dongle”.
Since your going to have to pay for the cards I wonder what the charges will be. Free with the original software, but about the cost of a license for a replacement perhaps?
————QUOTE——–
Biometric reader
What: Technology based on a human trait that can be used to identify a person, most often a fingerprint.
Pro: Biometrics cannot be forgotten or stolen; can be used for building and network access.
——————–
UMMMM yes they can…. oh Im going down to to the pub for a beer… Ill take my fingerprints and leave them there ok boss.
Though this is a interesting topic to keep involved with.
I’m not really sure I see the big advantage here. If they use smart cards, people can steal the smart card and log in with it. At least with a password you can’t steal it.
So why not combine the smart card with a password. If you don’t need to store any information on the smartcard why not use a fingerprint or even better a retina scanner instead of the smartcard.
You forgot to make a distinction between permanent passwords, semi-permanent passwords and OTP.
As pointed out in other posts, and by various research. The most secure password is a passphrase with good mnemonic quality.
Precisely, and the use of that (or not) is all a matter of policy, education and creativity. Which are all required when using smartcards as well.