Langa Letter: The End Of Anonymous Surfing? - InformationWeek
Software // Enterprise Applications
10:18 AM
Fred Langa
Fred Langa

Langa Letter: The End Of Anonymous Surfing?

Microsoft's Passport and its competitors are making it harder than ever for computer users to keep a low profile, Fred Langa says.

But wait, you might say, doesn't the use of the Passport centralized service imply that there's a centralized, consistent privacy policy across all the Passport sites?

In a word, no. In fact, Microsoft's Passport FAQ clearly states that, although it expects its member sites to behave properly:

...the privacy practices of Passport participating sites will vary. Therefore you should carefully review the privacy statement for each Passport participating site you sign in to, in order to determine how each site or service will use the information it collects.

Wow! Think about what that means. Passport users are not only subject to the same site-by-site vagaries of privacy policy as any other users, but they also arrive at each site dragging Passport's persistent tracking number with them. So, ironically, logging on to a site via Passport may actually make you less secure than if you went in on your own, because with Passport, you can't be fully anonymous from session to session.

And there actually are many other ways that Passport information could be abused. One scenario is spelled out in some detail by Joel Spolsky in Does Issuing Passports Make Microsoft A Country?

If Joel's page is too informal for your tastes, try this white paper from AT&T researchers: Risks Of The Passport Single Signon Protocol, or see the additional references at the end of this article.

Crackers' Paradise?
One also can ask legitimate questions about the inherent safety of the Passport central database because Microsoft has a spotty record of managing its online services. See, for example, any number of reports about Hotmail outages, or Messenger woes cast cloud over Hailstorm. Although the Passport central site doesn't gather extremely sensitive data by default, it can do so optionally. If you also choose "make your shopping easier" with the Passport Wallet, your Passport login can be associated with your credit-card numbers and such. The potential for trouble is obvious, so the site is likely to become a prime target for crackers.

While the skills needed for a frontal assault on the full Passport database might be formidable, it probably won't be very hard at all to crack many individual accounts, because each Passport depends on each user choosing a good password.

IT administrators know how hard it is to get users to pick difficult-to-guess passwords. A good password is a mix of characters, numbers, and punctuation at least six elements in length, such that the password will not be found in any dictionary; it should not comprise easy-to-guess items such as names of children, pets, etc. Ideally, a good password is one that's as close to incomprehensibly random as possible, while still being able to be memorized without writing down.

But most users pick much simpler passwords, and that means that many Passport accounts may be trivially easy to crack. Because a single name/password can protect a user's online identification at many sites, a breach of a Passport account may have an unusually large ripple effect.

To help overcome some of this fundamental insecurity, just a few weeks ago Microsoft revealed a newer version of Passport that will eventually rely on the P3P (Platform for Privacy Preferences) open standard; but this is of little help today because the standard is still only in working draft form. (See P3P: Protector Of Consumers' Online Privacy for an early analysis.)

Thus, even if P3P eventually helps improve Passport security, it's of no use right now to the millions of people exploring XP and being enticed to sign up for the current version of Passport.

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll