Bypassing The Password, Part 1: Windows 10 Scaremongering - InformationWeek
IoT
IoT
Software // Operating Systems
Commentary
4/20/2015
08:06 AM
Joe Stanganelli
Joe Stanganelli
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

Bypassing The Password, Part 1: Windows 10 Scaremongering

Microsoft's hype of its upcoming biometrics system in Windows 10, spouting the virtues of biometrics over traditional password-based security, seems misguided at best -- misleading at worst.

Microsoft recently announced that it's building new biometric enhancements into Windows 10. The company boasts that its new biometric security platform -- with the friendly name Windows Hello -- offers support for facial, iris, and fingerprint scanning as a complete alternative to passwords altogether.

"[N]ot only is Windows Hello more convenient than typing a password -- it's more secure!" beams Microsoft VP Joe Belfiore in a company blog post justifying his claim of added security by implying that passwords inherently compromise security because they have to be stored on a device or a server.

This seems disingenuous -- or, at least, seriously misguided.

Passwords have their problems, to be sure, as they are typically only as good as the person making them. (One might call those who use "123456" as their passwords examples of InfoSec Darwinism waiting to happen.) Additionally, many password reset methods can be problematic -- especially when those in charge of the resets fail to follow proper procedure and policy.

Phishing, too, represents a significant password risk. Enterprising (if frequently artless) social engineers blast out spoof emails to get a user to click on a malicious link -- which then may trick the user into giving up his password with a phony login screen and/or installing malware onto the user's computer. Fortunately, phishing attempts can usually be spotted by the trained eye, and basic data security awareness and training can effectively combat password phishing. Some companies have been successful by sending fake phishing emails to their employees. Anyone who clicks on a link is informed that they would have fallen for a phishing scam and then compelled to take a quick online training course on the spot. Companies using this method, according to security consultant Chris Hadnagy, have seen up to a 75% reduction in successful phishing attempts.

Biometrics arguably are at least as problematic as passwords as a single-sign-on factor. Fingerprints have been shown to be easily hackable, as have iris and face scans. Indeed, security researchers have shown that fingerprints and other biometric markers can be phished and reappropriated just as easily as passwords can.

Although Microsoft boasts that Windows Hello allows users to be "more secure" by using biometrics to avoid storing passwords locally, it will reportedly store biometric credential data locally. This potentially allows a hacker or thief the same access to data pertaining to user login credentials -- password or no.

The problem of passwords is less of an inherent one. The issue is more related to password management. Significant password breaches have largely happened because of other vulnerabilities combined with a lack of sufficient (sometimes any) encryption. This was the issue Adobe had in 2013 when it suffered a potentially record-setting data breach that compromised more than 150 million customers' information. Adobe's encryption was weak overall, its backup systems used were obsolete technology, its user password hints were stored in plaintext, and its user passwords were not salted and hashed -- making many of its user passwords easily guessable by even the most neophyte cryptologist -- and potentially compromising Adobe's encryption key entirely.

Therefore, it would seem that as long as you don't have the hacking power of a nation-state working to infiltrate your systems, and you and your employees practice a modicum of intelligence, regular old multifactor authentication with a password component (combined with a biometric component, if you like) can be plenty secure. Passwords aren't the problem. Stupidity is.

[Read the following two parts of this series: Bypassing The Password, Part 2: Trusted Identities and Bypassing The Password, Part 3: Freedom Compromised.]

Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
chrisrut
50%
50%
chrisrut,
User Rank: Apprentice
4/27/2015 | 6:50:37 PM
Stick to your law practice...
After 40 years in the industry (my boss in the 80s was the author of the "Orange Book" - look it up) I believe this among the most poorly conceived and researched articles on the subject I've ever read. Dangerously so.

It is important to understand that passwords provide an unbounded and easily compromised attack interface. Any user, including you or I, can be manipulated by social engineering into giving away the keys to the castle. Biometrics offer an alternative to passwords that make it harder for an attacker to compromise the question of identity.

Is Microsoft's Windows 10 technology ready for prime time? I won't know until it has been throughly evaluated. But I do know that passwords have overstayed their welcome and I believe Microsoft should be appluaded for their efforts rather than chastised.

Having said that, I agree with other commenters who stress the need to make systems more secure in and of themselves: indeed, as it stands a careless click on a malicious link can defeat even the best authentication scheme. But that's no excuse for perpetuating a horrendously flawed system based on passwords.
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
4/23/2015 | 3:12:43 AM
fallback password
Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone.  We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

 

 
moarsauce123
0%
100%
moarsauce123,
User Rank: Ninja
4/22/2015 | 7:35:27 AM
Passwords have one huge advantage
You can change a password quickly and easily...try that with finger, face, or iris.
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
4/21/2015 | 2:34:22 PM
Re: hope
@jamieinmontreal - Exactly!  Completely preventable and one of those things that falls through the cracks probably all of time.  Most times it doesn't matter - no one would ever notice.  This time it didn't matter - and WOW - what a costly mistake!
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Apprentice
4/21/2015 | 1:26:37 PM
Re: Passphrase
@Shamika - think how a hacker gets in... either they steal a password through it's careless reveal (post-it note on workstation, list of "secret passwords" on a stolen phone, brute force a weak password, phish / social engineer it from a user, keystroke logging, session monitoring...

Passphrase is certainly better than most passwords, but it shares some of the inherent weaknesses.

Multi-factor authentiation is a little better still.
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Apprentice
4/21/2015 | 1:19:57 PM
Re: hope
Good points and woth noting that there's a difference between the passwords for one user on many systems (you and I logging in to our day to day workstations, applications etc) and the admin passwords where one system is being accessed by multiple users.

Ther are tools to cope with both and in the case of Target, the credentials with privileged access could have been managed so that the hacker wouldn't have been able to get in using the same password after their initial attempt. Given that the hacker was in there for months to get the info they wanted, it's reasonable to assume this could have been prevented.
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
4/20/2015 | 8:18:56 PM
Re: hope
All of the security breaches have one thing in common: human error.  For instance, in the case of Target, it was a third-party vendor who had access to Target's servers and the attack was orchestrated using that vendor's credentials because SOMEONE didn't do their due dilligence with regard to the vendor and the security measures THEY employ. 

If you're going to let someone in your house, you best do the legwork on what goes on in THEIR house first.  IMO.
mak63
50%
50%
mak63,
User Rank: Ninja
4/20/2015 | 4:22:59 PM
hope
After reading the Adobe paragraph, I was losing my hope to ever be secure of hackers. Luckily the author mentions the multifactor authentication and common sense. I think that's the best way to go.

Maybe Cortana can ask us a few questions as well. Just to be sure.
shamika
50%
50%
shamika,
User Rank: Ninja
4/20/2015 | 11:46:20 AM
Passphrase
If we use the above mechanism when generating our password will it prevent us from hackers?  This is complex but still can remember easily.
shamika
50%
50%
shamika,
User Rank: Ninja
4/20/2015 | 11:39:30 AM
Re: Password or Password Management issue
"Many password reset methods can be problematic -- especially when those in charge of the resets fail to follow proper procedure and policy". Absolutely.  I have bad experience where I had to ask the IT team to rest my password since I have not followed the proper procedures.

 
Page 1 / 2   >   >>
News
5 Data and AI Trends for 2019
Jessica Davis, Senior Editor, Enterprise Apps,  1/7/2019
Commentary
Act Now to Reap Automation Benefits Later
Guest Commentary, Guest Commentary,  1/3/2019
Commentary
Cloud Trends: Look Behind the Numbers
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  12/31/2018
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Enterprise Software Options: Legacy vs. Cloud
InformationWeek's December Trend Report helps IT leaders rethink their enterprise software systems and consider whether cloud-based options like SaaS may better serve their needs.
Slideshows
Flash Poll