Bypassing The Password, Part 1: Windows 10 Scaremongering - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Operating Systems
08:06 AM
Joe Stanganelli
Joe Stanganelli
Connect Directly

Bypassing The Password, Part 1: Windows 10 Scaremongering

Microsoft's hype of its upcoming biometrics system in Windows 10, spouting the virtues of biometrics over traditional password-based security, seems misguided at best -- misleading at worst.

Microsoft recently announced that it's building new biometric enhancements into Windows 10. The company boasts that its new biometric security platform -- with the friendly name Windows Hello -- offers support for facial, iris, and fingerprint scanning as a complete alternative to passwords altogether.

"[N]ot only is Windows Hello more convenient than typing a password -- it's more secure!" beams Microsoft VP Joe Belfiore in a company blog post justifying his claim of added security by implying that passwords inherently compromise security because they have to be stored on a device or a server.

This seems disingenuous -- or, at least, seriously misguided.

Passwords have their problems, to be sure, as they are typically only as good as the person making them. (One might call those who use "123456" as their passwords examples of InfoSec Darwinism waiting to happen.) Additionally, many password reset methods can be problematic -- especially when those in charge of the resets fail to follow proper procedure and policy.

Phishing, too, represents a significant password risk. Enterprising (if frequently artless) social engineers blast out spoof emails to get a user to click on a malicious link -- which then may trick the user into giving up his password with a phony login screen and/or installing malware onto the user's computer. Fortunately, phishing attempts can usually be spotted by the trained eye, and basic data security awareness and training can effectively combat password phishing. Some companies have been successful by sending fake phishing emails to their employees. Anyone who clicks on a link is informed that they would have fallen for a phishing scam and then compelled to take a quick online training course on the spot. Companies using this method, according to security consultant Chris Hadnagy, have seen up to a 75% reduction in successful phishing attempts.

Biometrics arguably are at least as problematic as passwords as a single-sign-on factor. Fingerprints have been shown to be easily hackable, as have iris and face scans. Indeed, security researchers have shown that fingerprints and other biometric markers can be phished and reappropriated just as easily as passwords can.

Although Microsoft boasts that Windows Hello allows users to be "more secure" by using biometrics to avoid storing passwords locally, it will reportedly store biometric credential data locally. This potentially allows a hacker or thief the same access to data pertaining to user login credentials -- password or no.

The problem of passwords is less of an inherent one. The issue is more related to password management. Significant password breaches have largely happened because of other vulnerabilities combined with a lack of sufficient (sometimes any) encryption. This was the issue Adobe had in 2013 when it suffered a potentially record-setting data breach that compromised more than 150 million customers' information. Adobe's encryption was weak overall, its backup systems used were obsolete technology, its user password hints were stored in plaintext, and its user passwords were not salted and hashed -- making many of its user passwords easily guessable by even the most neophyte cryptologist -- and potentially compromising Adobe's encryption key entirely.

Therefore, it would seem that as long as you don't have the hacking power of a nation-state working to infiltrate your systems, and you and your employees practice a modicum of intelligence, regular old multifactor authentication with a password component (combined with a biometric component, if you like) can be plenty secure. Passwords aren't the problem. Stupidity is.

[Read the following two parts of this series: Bypassing The Password, Part 2: Trusted Identities and Bypassing The Password, Part 3: Freedom Compromised.]

Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
4/20/2015 | 10:38:44 AM
Password or Password Management issue
Joe, an informative and entertaining read thank you!   I agree completely that the issues we face with password security are nothing at all to do with passwords in and of themselves and everything to do with their management.   

I can't lay the blame on users choosing bad passwords or falling for Phishing attacks despite the undoubtable logic of that conclusion.   Humanity isn't a hard coded, logic based setup by any means - automation and policy implementation are valuable precisely because of this.

Better management tools, better policies and removing mundabe but somehow stressful decisions from the day to day of those users on all systems is simply a necessity and - as you rightly point out - there are several authentication methods available to support increased security.   What systems have you seen deployed that make the most sense?

I'm looking forward to the next in the series
User Rank: Strategist
4/20/2015 | 9:20:08 AM
Hacking happens AFTER you log on
Hacking happens after you log on: you get nailed by a drive-by shoot from some site that is suffering from "malvertising".  Or you click on an eMail you think you need but which is actually a clever forgery,-- called "targeted phishing"

once you are "pwned" you no longer know what your computer is doing

there are two thngs needed IMMEDIATELY in the area of Computer Security

(1) Use an operating system which will not allow itself to be compromised by an erratic application program,-- whether by error or by intent.

(2) AUTHENTICATE all transmittals, particularly software updates but also financial records such as forms 1040, online banking and the like, and also eMail

you need both of these fixes

running with the current popular software is much akin to driving down the Dan Ryan Expressway on your inner-tubes
<<   <   Page 2 / 2
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Flash Poll