Home > Microsoft > Microsoft to abandon passwords Microsoft to abandon passwords Submitted by Tudy 2005-03-15 Microsoft 39 Comments Microsoft has revealed at a security panel at CeBIT that it is preparing to dump passwords in favour of two-factor authentication in forthcoming versions of Windows. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 39 Comments 2005-03-15 6:56 pm LOL 2005-03-15 6:59 pm This is going to get modded to oblivion, and deservedly but: The authentication system only requires a one-liter sample of your blood each time you logon. 2005-03-15 7:00 pm While there may be merit to their idea the more likely reason for Microsoft to move to this is that once again they will establish a proprietary login protocal that only they own and control. Thereby locking out the ability for competitive products to be compatible with Microsoft based networks, Samba for example. All they are trying to do at the moment is “sell” the “sizzle” before anyone realizes the underlying implications. 2005-03-15 7:00 pm This will break RDP if they abandon login-password authentication… Remote Desktop won’t and can’t support physical identification 2005-03-15 7:03 pm i agree with anonymous that they are trying to lock out third parties but anyway i find it step forward for windows users (which i deplore) as those passwords never really were secure… 2005-03-15 7:05 pm While there may be merit to their idea the more likely reason for Microsoft to move to this is that once again they will establish a proprietary login protocal that only they own and control. Thereby locking out the ability for competitive products to be compatible with Microsoft based networks, Samba for example. Yeah, that’s probably the main reason why they’re doing it. That’s not to say that they don’t care about security, but it’s never been as high of a priority as locking-out competitors. 2005-03-15 7:14 pm I don’t believe Microsoft is doing this for the sole purpose of locking out competitors. Passwords are broken and they are trying to do something about it. If it locks out competitors then its just a bonus. 2005-03-15 7:15 pm with NGSCB? with TCPA? with “trusting computing”? no more lowlevel access to own hardware? if it is this, Longhorn won’t take a chance on my hardware (as long as hardware does not get bound to NGSCB or MS). For remembering: http://en.wikipedia.org/wiki/NGSCB http://en.wikipedia.org/wiki/Trusted_Computing_Platform_Alliance Well, and what I mean: http://www.againsttcpa.com/ 2005-03-15 7:19 pm Wouldn’t it be more effective if Windows checked any password entered to see how secure it is? Anything too short, any word that is in the spell checker, any letters without numerals, and any names that are on a list of famous people, would all be rejected. 2005-03-15 7:21 pm yes, and then everyone would write down their new, hard-to-remember password on a bit of paper and stick it to the monitor. passwords just completely suck however you look at it. 2005-03-15 7:24 pm well, that is already possible. at least since nt4 till winxp pro (well, checking of names perhaps only with bash-script). how it is in winxp home, I don’t know. 2005-03-15 7:46 pm The authentication system only requires a one-liter sample of your blood each time you logon. Nice try to get rid of the blue screen. Will id software have to fight against m$ bloody screen patent claims? Is virtual blood considered to be prior art? 2005-03-15 7:47 pm Hmm – two factor authentication generally requires an authentication server to authenticate with. I wonder how that would work with home users – will they need to be connected to the internet to login? And whose server will they authenticate with? Microsofts? Here we also have a way to control who can login – a good move against piracy too perhaps? <apologises for conspiracy thinking> 2005-03-15 7:50 pm Often with subcontractor or trainee, they leave the company without giving the password for their account/computer. Just wonder how admin will be able to gain access to the account/computer again ? (of course there is still the possibility of booting Knoppix) What about losing the physical ‘item’ ? With banks, for security reason and due to manufacturing delay, you can stay up to three weeks with credit card if you lost it. (My company is doing the same for access badge and it’s PITA when you lost your badge – I had to ask to people from my open space to open the door for me for days). 2005-03-15 8:00 pm having your password on your monitor where your friends and family can see it, or having a weak password exposed to the net, where any cracker can bruteforce his way in a matter of minutes…. —————————– heres a question, why does ms still use telnet, possibly the most insecure internet protocol ever conceived of? or have their rpc port range, making locking down their servers a real adventure. or (my personal favorite), have the filename make something executable. microsoft has been making great strides in the security department, but there are a great many things that i would like to see happen before something like this. 2005-03-15 8:01 pm Actually can be done already: see AC Technologies for 2 factor authentication with RDP. I’ve also seen it done with Citrix and Smartcards/biometric (see Activcard) as well. USB readers might already work with RDP, but I haven’t messed enough with them yet. 2005-03-15 8:02 pm Aren’t they so paranoid? The more forms of identity they try to invent, the worse it becomes. 2005-03-15 8:03 pm RSA Security chief executive Art Coviello suggested that the effects were already being felt, pointing out that some Australian banks have recently pulled out of planned web services because of security fears. “We are at a confidence crisis. For the first time we run the risk of taking a step backwards and the reason is the threat of identity theft,” he said. Which browser were they worried about? Whose software was hacked to get the list of 20,000 user’s soc secs and personal info? Broda was concerned, however, that a new US database was being used without reference to other countries’ resources. This could lead to companies and individuals being refused access to the country on spurious grounds. MS can force countries to use their products. They can punish Munich for going with Linux. We have business users at our locations who routinely lose their RSA tokens, or fail to use them for three months and lose the access due to the new Sarbanes-Oxley paper trail rules. I’m not hopeful about the outlook on this. I hope I’m wrong and MS will use open standards to allow interoperability, but then MS’s view of interoperability is between 2000/XP/Longhorn. Probably not even Win2000. 2005-03-15 8:13 pm It be kinda cool if they used contactless smartcards + authentications for physical login, or something like that. Maybe authentication + gpg singature over the net. Bleh who cares. 2005-03-15 8:23 pm IMHO, MS is trying a different method to secure Windows computing environment. In other words, they cannot “fix” their current problems. This is an alternate way to get your self out of deep creek. They are trying to abandon what they can’t fix! 2005-03-15 8:26 pm Now they will know who you are, and where you live. 2005-03-15 8:35 pm I’ve seen companies who have tried a unified smart card type access programme, and it’s been a disaster. People lose smart cards, and with computers and systems you almost always need access to them on a very fluid basis. Who wants to be told they can’t print something out that they need to print in the next five minutes? That’s why directory services have never really taken off in a unified way. You see many systems in companies where everybody has one password for each of them and it’s going to remain that way. No, this is about lock-in and RSA with the dollar signs in their eyes. Nothing more, nothing less. 2005-03-15 8:44 pm Heh. How much more monolithic can they get? Keep modifying, MS; and while you’re at it, keep *following*. 😉 Flounder into oblivion. I don’t think you’ll be here in ten years. –EyeAm “New and powerful OSes are coming.” 2005-03-15 8:52 pm 2 item security is good to a point. Biometrics can be faked (everything but face recoginition very easily) Cards will be lost very quickly(how many people lose their car keys if only for a little while?) it will inhibit random theft, but malicous theft will be a problem. And how do they deal with computers that don’t go on the Internet? That means local authentication. 2005-03-15 9:18 pm With Win2k3 you do it through system policies, and the default settings is like 8 alpha-numeric characters. 2005-03-15 11:02 pm First para of linked article by BRUCE SCHNEIER: “Two-factor authentication isn’t our savior. It won’t defend against phishing. It’s not going to prevent identity theft. It’s not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today.” http://www.schneier.com/blog/archives/2005/03/the_failure_of.html Seems topical. 2005-03-15 11:16 pm > With Win2k3 you do it through system policies, and the > default settings is like 8 alpha-numeric characters. With the password being written on a sticker on the monitor? Securtiy must be taken seriously, or it will be practically non-present. And users will only take it seriously if security breaches damage them personally. 2005-03-15 11:25 pm Same old, same crap, same lies, same old fashioned story: “Wait you will see on the new next winb-dksjqhfk…you will get: security, reliability, blablaity, vaporwarity, and the coffee. (And me the money) In using microsoft I become a poet. Wait and see? no wait and laugh. 2005-03-15 11:39 pm People are consistently hacking Microsoft systems through password guessing and spying; because that’s the only hole in an updated Windows system…. *hundreds of reporters laugh* 2005-03-16 12:29 am microsoft’s security woes are NOT password related. microsoft’s biggest security weakness is the terrible code it produces, and the terrible designs it seems to sign off for implementation. this announcement is just something to stay in the news and tickle the non-technical IT decision makers who seem to think that M$ is the only way to go. i am still shocked such people exist, i know of a high-rate financial transaction company. their business is to trade “continously” and rapidly. yet teir systems are M$ based. they fall over. they die. they slow to a crawl. they corrupt. want to know how often they reboot their “continuous trading” system? every 2 months? every wee? nope. every 6 hours. they even have an automated rebooter. that’s the only reliable thing in their setup. and yes – Availability is a core componeny of security. 2005-03-16 12:34 am Well, considering there are so many ways to enter a MS Windows machine, then they may as well give up the illusion that passwords were ever useful. Passwords just slow down valid users, whilst dodgy-folk enter through backdoors circumventing passowrds. Do as the USA’s NSA does – use NSA hardened SELinux distribution! 2005-03-16 12:37 am May I add… Security is by design – design right from the heart of a software product. MS products evolved over time with the main aims to cut off competition and to maximise profit. Their software was hacked together gradually and often in Ad-hoc ways therefore lacking any deeply embedded security. 2005-03-16 1:06 am they aren’t dumping passwords, so much as augmenting them with additional measures. “I believe that the time of password-only authentication is gone” as the article states. two-factor auth can mean a lot of things. traditionally this is a token + password, but it could involve biometrics potentially. the three authentication factors are “something you know” e.g. password, “something you have” e.g. Securid token, and “something you are” e.g. retina scanning biometrics. certain forms of two factor auth would work fine remotely e.g. Securid. two factor auth on linux is already quite easy, albeit unwieldy, with Opie and S/Key. 2005-03-16 1:24 am And how do We know that it’s your blood being fed into the computer, hhmmm?? 2005-03-16 3:20 am I think it’s been pretty well documented: The length of passwords that we can crack with a password guessing tool is growing longer, as computing power improves over time. The length of passwords that we can remember will always stay the same. Therefore, at some point in time, any possible password that we can remember will be susceptible to cracking. No matter if your password is 3Ld:q!5pds, or if it is a long passphrase. At some point, computers will get so fast that they’ll be able to crack them. Some would contend that this time has already passed… It’s like computer chess. The best computer players are always getting better over time, as computing power increases. The best human players are always at the same (high) level. At some point, the best computer players will surpass the best humans. 2005-03-16 5:37 am It costs $$ to deploy and administer. And as someone pointed out already, it won’t work for a user disconnected from the net (or is not behind the corporate firewall, unless some tricky forwarding is set up). I suppose MS might propose that passwords might be allowed for local logins with no (LAN) network rights, but that would be burdensome for small companies who don’t want to pay for the two-factor authentication server (which I assume will cost more than a domain controller) and a set of hardware tokens for their employees. Besides, allowing passwords for local logins would work against the additional security they’re trying to provide. 2005-03-16 5:06 pm The same idiots that put their passwords on stickie notes on their monitors will be leaving their cards next to the keyboard. I know it and you know it. Why do we have to take everyones elses stupidity into factor when trying to do something correct? It’s counter productive. 2005-03-16 5:49 pm First-off… two-factor authentication is not generally approriate. It might be great for a corporate application, but for home use, or even a community lab it’s not approriate. MS will either preserve the password option (presumably just as they will with the no-password-at-all option), or they are going to have even more irate customers. I would guess the former. Second… Two-factor authetication is not necessarily going to devestate various protocols that currenty use password-based (single factor) approaches. The simplest implementations of two-factor authentication are to: 1.) use a hash derived from the two factors and exchange that, and simpler yet: simply append the hashes of the two discrete factors and exchange a hash that can be treated as single- or two-factor. Either way, maintaining interoperability isn’t too hard. Further, I don’t buy the suggestion that they would care about RDP issues; they own the protocol and the software, they’d just change it. While Microsoft doesn’t like it, they do recognize that a large number of their customers use UNIX servers to serve Windows shares and that in the general case that performs better than their product offerings. These days they are sensitive to antagonizing corporate customers (who are increasing annoyed by Microsoft’s products and business practices). 2005-03-17 6:09 pm “having your password on your monitor where your friends and family can see it, or having a weak password exposed to the net, where any cracker can bruteforce his way in a matter of minutes…. ” the lesser of two evils still isn’t _good_. Forcing secure passwords is a good thing, I’m not disputing that. However, it’s not a sufficient solution to the inherent problems of solely password-based authentication.