Microsoft's Passport and its competitors are making it harder than ever for computer users to keep a low profile, Fred Langa says.
In a word, no. In fact, Microsoft's Passport FAQ clearly states that, although it expects its member sites to behave properly:
...the privacy practices of Passport participating sites will vary. Therefore you should carefully review the privacy statement for each Passport participating site you sign in to, in order to determine how each site or service will use the information it collects.
One also can ask legitimate questions about the inherent safety of the Passport central database because Microsoft has a spotty record of managing its online services. See, for example,
any number of reports about Hotmail outages, or
Messenger woes cast cloud over Hailstorm. Although the Passport central site doesn't gather extremely sensitive data by default, it can do so optionally. If you also choose "make your shopping easier" with the Passport Wallet, your Passport login can be associated with your credit-card numbers and such. The potential for trouble is obvious, so the site is likely to become a prime target for crackers.
While the skills needed for a frontal assault on the full Passport database might be formidable, it probably won't be very hard at all to crack many individual accounts, because each Passport depends on each user choosing a good password.
IT administrators know how hard it is to get users to pick difficult-to-guess passwords. A good password is a mix of characters, numbers, and punctuation at least six elements in length, such that the password will not be found in any dictionary; it should not comprise easy-to-guess items such as names of children, pets, etc. Ideally, a good password is one that's as close to incomprehensibly random as possible, while still being able to be memorized without writing down.
But most users pick much simpler passwords, and that means that many Passport accounts may be trivially easy to crack. Because a single name/password can protect a user's online identification at many sites, a breach of a Passport account may have an unusually large ripple effect.
To help overcome some of this fundamental insecurity, just a few weeks ago Microsoft revealed a newer version of Passport that will eventually rely on the P3P (Platform for Privacy Preferences) open standard; but this is of little help today because the standard is still only in working draft form. (See P3P: Protector Of Consumers' Online Privacy for an early analysis.)
Thus, even if P3P eventually helps improve Passport security, it's of no use right now to the millions of people exploring XP and being enticed to sign up for the current version of Passport.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of April 24, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week!