It's time to delete that hunter2 password from your Microsoft account, says IT giant From this week, Microsoft won't require you, or your password manager, to come up with strings of letters, numbers, and special characters forming a silly sentence or a reconfiguration of an ex’s name and birthday to access the Windows giant's services. That is to say, you can delete the password from your Microsoft account, …
What a nice move: It associates your windows installation with a device linked to a physical, nominative person and which tracks user' moves by GPS. Privacy is so 20th century....
Connecting anything with a phone is such a brilliant idea: loose it, break it or may the phone be stolen, and then you cannot log to your PC anymore.
What if you use a physical UbiKey to authenticate yourself, but then misplace the danged thing 'cuz yer gettin' old 'n forgetful? Like when you turn the house upside down to find your glasses only to scratch your head in confusion & realize they've been sitting atop your skull the entire time. Only the device is much smaller & easier to misplace. You'll spend hours tearing the house apart, finally give up in frustration, go to get some ice out of the freezer to apply to your throbbing forehead and find the fekkin' thing sitting atop the frozen peas. It's almost like MS is *taunting* Loki & chortling "Do yer worst, ChaosBoy!" What could possibly go wrong? Don't bother answering that one, we all know the favorite reply of Murphy is "Here, let me show you!"
Sort of been there and done that.
I use eWallet as a password manager.
For a couple of years I used it exclusively on my phone (instead of the desktop version which asks for a password every time), unlocking it with my fingerprint.
After an update it wouldn't let me unlock with a fingerprint and started asking me for the master password again, which I couldn't remember (it's 16 characters of nonsense).
It took me a couple of weeks of daily bum-clenching horror that I couldn't remember it, thinking of all the grief it would cause, until (well lubricated on a Friday night) the password hint phrase - Embiggen not TizWoz - I'd set finally made sense
Had a spare car key tucked under the fender in a magnetic key holder box for “that occasion”. Locked my key in the car one shopping trip, reached under the fender and felt around where the box used to be. It was shocking how quick and easy it was for a helpful onlooker to unlock the door with a coat hangar.
These physical security keys are a horrible idea, in terms of 'absolute' security, that is. By existing as a physical object, did you know that the plod can subpoena the device and if you don't relinquish it you are in contempt of court?
However, a code - PIN, password, etc. - is personal information and cannot be forced from you. You are free to uphold your rights to silence, to no self-incrimination, and keep the information to yourself. The court has no recourse as this right (speaking as an American) is constitutionally guaranteed.
But what if your memory is SO horrible that YOU can't recall that stuff? I have to regularly deal with people with such terrible memories that even "correcthorsebatterystaple" turns into "donkeyenginepaperclipwrong".
What solutions do you propose for those kinds of people, especially those with no one to look after them?
Richard Osman said that he had once been hunting high and low for his mobile without success. He then decided it would be a good idea to phone it to reveal it's hiding place, only to discover the phone he was about to use was the phone he had been looking for... it had been in his hand all the time!
I had a mate who got to work and discovered he had forgotten/mislaid his pager and kept phoning it while his missus searched the house for it. He was later called by the garage, who had been servicing his car, to say they had ripped out the dash trying to track down a strange intermittent beeping
No less privacy than logging in to whatever service you need in the first place.
If your really concerned about privacy get proactive, old phone in drawer root it, install a hardened droid os, keep it in flight mode, only connect to trusted WiFi and only install the authenticator app of choice (preferably side loaded and app store is neutered)
By and large this is a good thing for Corp it (phishing and rat attacks will be less effective), and power users will bother for personal accounts, aunty Doris will still rely on rover1966 for everything and be shocked and horrified that the nice African Prince she's been emailing is in fact a scam
Connecting anything with a phone is such a brilliant idea: loose it, break it or may the phone be stolen, and then you cannot log to your PC anymore.
With this, when things go wrong, they go REALLY wrong
(don't forget to let your phone do credit card account purchases also, so that anyone stealing your phone has more access than if they stole your wallet and forged your identity - and let it stick out of your back pocket while you're at it so that you butt-dial and crack the screen sitting on it, and also make it easier to steal)
Last time I installed a fresh WIn 10 (pro), last year, it was easy enough to bypass the M$ account restriction by disconnecting from the internet at the right point. When it cannot reach the M$ servers it allows you to continue with a local account and doesn't demand any change after you reconnect.
nice trick. I have not done a 10 install in a while and I always had to find the right stupid buttons to press in the correct order in order to set up the initial account as a local account. Micros~1 really DOES strong-arm you into using their privacy-violating "cloudy" logon.
I shall remember this trick in the future, next time I need a fresh Win-10-nic VM. Does it work with 11???
You can setup manually, but you have modify the registry. This started with Office 2016, probably a programming bug, but even if you click the manual setup box, it would still do a simplified setup that almost always is wrong. Her is the link - https://support.microsoft.com/en-us/topic/how-to-disable-simplified-account-creation-in-outlook-2016-outlook-2019-and-outlook-for-office-365-662bf4f8-c357-dbc8-53b3-ff8f445e8247
So this app is on your phone, which many also use to access their services (yes, even though MS stuff sucks on phones even more than Windows desktop...) so other log-in details are probably saved. So if you have the phone you are probably a 4 digit code, partly smudged on the screen already, away from full access to all MS services?
And if your phone is lost/stolen, how do you authenticate yourself to assign a new one?
The only windows thing that goes through my phone is Outlook and I intend to keep it that way, I also have a minimum of apps and thode I do have only get the permissions that are absolutely necessary.
What permissions does the authentification app want on your phone as a matter of interest?
If this is forced on us, it will be yet another reason to jump ship, why should I need to fire up one device in order to fire up another?
Doesn't sound much like progress to me.
"And if your phone is lost/stolen, how do you authenticate yourself to assign a new one?"
1) Multiple devices, synced (*). This is easy, I've been doing it for years with the right authenticator app. In the case of Microsoft, you just put Authenticator on your iPad or spare phone or whatever as well as your main phone - they all then beep when you try to sign in anywhere.
2) Recovery codes. Bit of a pain as you need to store them securely somewhere - either on paper in a safe or in an app that securely syncs (*) or is accessible (*) on different devices. User education ('do not panic!') is quite tricky here.
3) Rely on your IT admin to be able to reset the access on your account for you. Obvs no cop for personal accounts.
(* avoiding the subject of how secure, or not, syncing devices across the 'cloud' is etc).
Yeah, after my Pixel 2 finally died I wound up saddled with a Samsung and the fingerprint sensor really sucks. I cannot wait to get a Pixel 5a or 6 just to not have to deal with this damned thing's sensor that works maybe 1 time out of 15 attempts. It reminds me of the blood vessel geometry scanners on some SCIF doors that always fucked up when I was in the Army. Or the hellspawn that was our USB fingerprint readers we had to use to biometrically authenticate with if for some reason we weren't using our CAC readers (or if, surprise surprise, the damned Smartcard readers or their firmware broke)
We use PingID where I work now and before I log in I usually have the phone unlocked so I don't have to screw around with the Biometric nonsense since it hardly ever works.
The more things change and all.
So I end up entering the same PIN twice.
I guess you're the sort of person who uses the same password everywhere too though, so you've already failed Basic Security.
Microsoft don't restrict PINs to being just digits, so for my work PC (which switched to using some of this a while ago) my 'PIN' is a 12 character continuation of the password scheme I was using before which is unique to that machine.
I don't have to authenticate to log into Windows. (Maybe that's something specific our IT have setup, or maybe that's something coming soon.) I (currently) only need to authenticate when I need to access other work-related resources online that are connected to my Windows account, and there the flow is:
Enter my account password.
Unlock my phone with a PIN.
Tap Approve in the authenticator app.
Confirm (I know, I know) with my fingerprint. (Or a different PIN.)
If I don't have my phone handy, there's a button in the login panel that (presumably) gives me other options for authentication.
>>Microsoft don't restrict PINs to being just digits
Surely they shouldn't be called a PIN then?
After all that's Personal Identification Number, isn't it?
Surely there is a better term for a 12 character collection of glyphs; how about "Personal Identification Code" or even, shock horror, "Personal Authorisation String Sequence With Only Repetition Denied"?
I am sure others can come up with a better backronym for PASSWORD but thats a start!
How about a solution for people with really bad memories. And I mean SO bad that "correct horse battery staple" doesn't work.
What stood out to me from this was the idea of logging in to MS Edge. Two questions: (1) There's little enough privacy on the internet as it is, so why would I ever do that? (2) Who actually intentionally uses Edge (as in, you know, anyone who hasn't been tricked into it by MS because they simply don't know any better)?
Kevin Beaumont (@GossiTheDog) has been talking a lot about Azure lately and this is just the latest massive clusterfsck in a list (the first being CosmosDB and then AzureScape). His post also noted the irony:
"The good thing about #OMIGOD, a vulnerability where no password is needed to remotely execute code on Azure VMs, is MS announced it the same day as going passwordless!"
That animated gif you linked to illustrates the OMIGOD vulnerability nicely. Don't know the password? Ah sure just leave off the Authentication header in the POST request. Root.
Not to mention the omiagent user that gets created with no password and a shell of /bin/bash. It also has a sudoers file referencing scripts that are editable by omiagent. Root again.
Kevin's thread: https://twitter.com/GossiTheDog/status/1437896101756030982
Clearly none of these "ideas people" look after old people. Trying to get them to keep passwords unique is hard enough. Expecting them to now have a mobile phone just to use their home PC is a bit bonkers.
Security has to fit the users. The oldies I look after get physical address books to keep these kinds of details safe in. It means when they are then ill someone else can pick up and look after their accounts. If everything is locked up in a 2FA phone it will cause huge problems when someone has a stroke. (And most oldies I work with don't even have smart phones)
I had one like this last year. Thank gawd he had put his passwords into a spreadsheet so his wife could fine them and continue to run the house.
By having password access on a computer you at least have a fall back access to the machine when someone (and their phone) ends up in hospital.
"Security has to fit the users. The oldies I look after get physical address books to keep these kinds of details safe in. It means when they are then ill someone else can pick up and look after their accounts."
That also makes them vulnerable to Evil Maid attacks, which tend to happen a lot with the elderly for that very reason. Watch enough crime shows and you'll see that move turn up.
"a verification code sent to your cellphone or email inbox"
So instead of using a password to log into my MS account, I can instead use a password to log into my email account. I'm not clear how this is supposed to be an improvement, or indeed how it is in any way passwordless.
Even using a phone doesn't appear to help matters. Sure, it effectively forces 2FA. But requiring unlocking a phone and nothing else must always be worse than unlocking the same phone and also requiring a password. And since unlocking a phone still requires a password, it's simply nonsense to claim it's passwordless. In particular, Android phones (don't know about Apple) require a backup password, so even if you normally use your finger or face to unlock it, there's always a standard password waiting in the wings to be compromised.
So the whole thing seems completely pointless. There are so many holes and backup options in the system that it will be just as vulnerable as ever to compromise, while being strictly worse than just requiring standard 2FA.
So another round of blaming users and passwords.
How about companies stop being cheap asses about security, so criminals don't keep going in the back door and stealing all the customer information (including passwords) right out of their databases?
It seems there is no actual punishment for lax security policies at big companies that let criminals walk away with entire databases of hundreds of millions of users and all their passwords and details.
But oh those same users should have to pay more / jump through more hoops because nobody seems to want to pay to keep their servers properly secure?
And your "recovery pin" is essentially a password, so when that database is stolen... ??? Let me guess, they will say it's all the users fault..
Acknowledge posted in jest - but how is this prevented?
I bit the bullet and purchased a seperate 2G phone for 2FA in connection with my usable smartphones. Yes, it's a PITA but the 2G phone rarely leaves my house, and the battery lasts a month. If I forget to carry it, and it's needed outside my house, there's an alternative number registered to a 3gG smartphone that I usually carry outside my house, that authenticates a transcation with a unique passcode. This works. WTF is Microsoft trying to do, other than expand their sales of customer data that they can force?
My debit card is authorised up to £30 per signature/login-free tranaction in supermarkets, my credit card is also authorised up to £100 per transaction and pays commission on payments . - so I use it. It would be dangerous if an unauthorised person got hold of it, but that rather depends on the algorithm before my bank requires a PIN. I cannot see what Microsoft is offering better. Anybody - any suggestions please.
This afternoon my broadband dropped out twice for a few minutes at a time. Openreach are rewiring the cabinet round the corner from me. On both occasions I could not reconnect to my company VPN because Authenticator failed to respond. I reset the phone which seemed to jolt it back into life.
I hate 2FA with a passion. Clicking the 'I am not a robot' box, counting the tiny thumbnails of tractors and then having to get a text on a dedicated phone just to buy something for two quid on ebay. THIS IS TOO MUCH EFFING AUTHENTICATION.
Now migrating it to m$? No. Take it and stick it up your back Gates.
I would rather use Linux. I would rather use Apple. I would rather use an Amiga. I would rather send a fax. I would rather contract an STD.
Password are fine. Just give idiots and simpletons another option.
For those with limited comprehension in MS management, that is a NO.
The authenticator app is fine, I guess. But if you go and look at its reviews on the App Store, there are hundreds of people on there complaining that they enabled it for their Idiotgram account, but then broke or lost the phone, and found themselves locked out. FOREVER. You have to set up some sort of backup / recovery thing or your account is unrecoverable.
The comments have been honing in on MS so far. But their vision of a passwordless future requires all sites are able to participate. Will we use a similar system to OAuth now where we can have a couple big players who "represent" you? I don't use OAuth much as I don't want them building a picture of me. Yes yes I know - the Facebook Javascript on a page i visit gives me away anyway - that is just as evil and must change (I use FaceBook container in Firefox to prevent this tracking). Also these handful of Identity Providers could be a central point of failure.
SQRL (Squirrel - https://www.grc.com/sqrl/sqrl.htm, https://sqrl.grc.com/pages/what_is_sqrl/) is an easy to use, fully secure and anonymous auth system. I have no affiliation excepting being a listener to the Security Now podcast (which I can't recommend enough - https://www.grc.com/securitynow.htm - part of the TWIT network).
I thought that the push has been towards MFS, now unless I have been in asleep for the last few years my understanding is that MFA stands for Multi Factor Authentication.
Removing one of the forms of authentication and just using an App on an additional device is not Multi Factor, it maybe Multi Device but that is a different issue. Both are likely to be in the same place at the same time and the actual authentication could even be initiated on the very device that is being used.
To me this looks like a smoke and mirrors thing where, for some reason all sorts of Apps and recognition doohicky bits are perceived to be more secure.
Surely you need at least one part of the authentication that is dynamic and committed to memory.
I have been working with IT Security for many years, actually worked for the first Swedish company who publicly announced that they had been hacked. Guess how the intruders got in through our modem pool? (drum roll) ----> Username + static password!
This was over 30 years ago!
How come we are still stuck with the same, extremely poor, way to secure our assets?
The sad fact is that most “people” don’t care about their IT Security, they just want to get on with their day.
I’d like to compare IT with the car industry.
When cars were first introduced, there were no rules, no driver’s licenses, no street lights, etc. On top of that you had to make sure you brought spare parts and mechanical knowledge to keep the car going. Plus, of course, not to mention that driving the car was a real danger for both the driver, passengers as well as pedestrians. Who knew if those brakes would function the next time?
Fast forward to now. Take a modern car with all its security features, a sane driver with a driver’s license following the regulations (keep to the speed limit, follow the street signs, stay in your lane, etc). I would argue that it is extremely difficult to get yourself injured or killed under these circumstances.
How many people drive around with a driver’s license, an inspected car, air bags, ABS, etc? I’d say the majority is following the rules or “best practices”. Why is that?
Hmm, maybe because it is illegal to drive without a license?
Maybe you would fell unsafe driving around in a car without functioning headlights?
Whatever it is, there is a certain threshold of security we want to see before driving away in a car and this I would call “common sense”. Ever heard of that?
But, when we talk about security in IT, it seems like we prefer to totally forget about “common sense” and instead just go for the easiest way out. Security is just a hinder.
But, as the article points out, one of main entry points for successful attacks is through username/passwords, and I cannot understand how we still can argue all day long about how important and vital it is too keep this big vulnerability in our IT systems.
For elderly people (older than myself ) the way I have done it is by using common password manager vaults and/or multiple authentication methods. For instance, I have linked both my older relatives devices as well as one of my own devices to their accounts. That way I can help them to log in when needed. And, this is a relief for all of us. Just imagine being able to help your father without having to travel every time!
Since we are moving towards password-less solutions, the need to remember passwords (and usernames) is going away. I am a big fan of this technology since it truly makes our life more secure and easier (yes, I hear the arguments against easy, but once you are over the hill, the pastures are green. I made it over that hill years and years ago..)
For myself, I have 100’s of accounts, mixtures of all kinds of logins but I don’t have to remember any password. If the service I log in to only supports username/password, I keep this in my password vault and for the most part enjoy automated login. For all other logins, I am using an app or a physical security key.
My hope is to one day find that the world has become a safe place!
Great idea, but where are all the keyboards with Windows Hello support? I have been looking to change over to fingerprint recognition since Windows 10 was launched, but the hardware support, just isn't out there (unless you buy a laptop).
We have been using fingerprint recognition on our phones now for years and what a convenience boon, especially as banks and password managers are supporting it - another reason people are using PCs less...
My latest attempt to move in this direction is to buy a really old Microsoft Internet Keyboard Pro with an integral USB port that I can try one of those USB fingerprint readers on - although as it will be hidden round the back, I will probably struggle to get the family to use it. Maybe I can customise the keyboard to fit it in a more prominent position.
Anyone else notice the nice subtle change (at least in some jurisdictions outside Blighty) from a legally protected login key (password) to one that can be legally coerced or stolen (face ID, thumbprint, etc.)?
Not that it matters much in the face of Microsoft's ability and willingness to sift through its users' data for any purpose in the first place!
I saw a news article very recently that the modern equivalent of marching the vulnerable to the cash point and forcing them to withdraw cash can now be done from the comfort of their home or elsewhere and forcing them to share the authenication codes to allow bank transfers to the criminals interim accounts. Finger scans can be physically forced (although recognition is so variable there can be enforced lockout delays incurred even with normal use).
What is needed is an emergency authentication pin as well as the normal one, but this one alerts the system that this is an enforced criminal act, appear to allow the transactions through but activates tracking etc, hopefully letting the victim off the hook but catching the bigger fish (or phish)...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
