Software // Enterprise Applications
Commentary
10/30/2001
10:18 AM
Fred Langa
Fred Langa
Commentary
50%
50%

Langa Letter: The End Of Anonymous Surfing?

Microsoft's Passport and its competitors are making it harder than ever for computer users to keep a low profile, Fred Langa says.

But wait, you might say, doesn't the use of the Passport centralized service imply that there's a centralized, consistent privacy policy across all the Passport sites?

In a word, no. In fact, Microsoft's Passport FAQ clearly states that, although it expects its member sites to behave properly:

...the privacy practices of Passport participating sites will vary. Therefore you should carefully review the privacy statement for each Passport participating site you sign in to, in order to determine how each site or service will use the information it collects.

Wow! Think about what that means. Passport users are not only subject to the same site-by-site vagaries of privacy policy as any other users, but they also arrive at each site dragging Passport's persistent tracking number with them. So, ironically, logging on to a site via Passport may actually make you less secure than if you went in on your own, because with Passport, you can't be fully anonymous from session to session.

And there actually are many other ways that Passport information could be abused. One scenario is spelled out in some detail by Joel Spolsky in Does Issuing Passports Make Microsoft A Country?

If Joel's page is too informal for your tastes, try this white paper from AT&T researchers: Risks Of The Passport Single Signon Protocol, or see the additional references at the end of this article.

Crackers' Paradise?
One also can ask legitimate questions about the inherent safety of the Passport central database because Microsoft has a spotty record of managing its online services. See, for example, any number of reports about Hotmail outages, or Messenger woes cast cloud over Hailstorm. Although the Passport central site doesn't gather extremely sensitive data by default, it can do so optionally. If you also choose "make your shopping easier" with the Passport Wallet, your Passport login can be associated with your credit-card numbers and such. The potential for trouble is obvious, so the site is likely to become a prime target for crackers.

While the skills needed for a frontal assault on the full Passport database might be formidable, it probably won't be very hard at all to crack many individual accounts, because each Passport depends on each user choosing a good password.

IT administrators know how hard it is to get users to pick difficult-to-guess passwords. A good password is a mix of characters, numbers, and punctuation at least six elements in length, such that the password will not be found in any dictionary; it should not comprise easy-to-guess items such as names of children, pets, etc. Ideally, a good password is one that's as close to incomprehensibly random as possible, while still being able to be memorized without writing down.

But most users pick much simpler passwords, and that means that many Passport accounts may be trivially easy to crack. Because a single name/password can protect a user's online identification at many sites, a breach of a Passport account may have an unusually large ripple effect.

To help overcome some of this fundamental insecurity, just a few weeks ago Microsoft revealed a newer version of Passport that will eventually rely on the P3P (Platform for Privacy Preferences) open standard; but this is of little help today because the standard is still only in working draft form. (See P3P: Protector Of Consumers' Online Privacy for an early analysis.)

Thus, even if P3P eventually helps improve Passport security, it's of no use right now to the millions of people exploring XP and being enticed to sign up for the current version of Passport.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.