Sunday, August 26, 2012

Windows 8 Password Security

[Retro-style static boot splash graphic in Windows 8.]
I installed Windows 8 Consumer Preview (and some earlier versions as well) into a VM so that I could have a look for changes in password security. After quite a few screenshots etc from CP, I decided to wait for RTM, so that I wouldn't have to an entirely new one if there were major differences. I'm happy I did that. Lets take a look at what we get with Windows 8 in terms of password security.

Password Length Limitation On Install

Quite a few people - including myself - made CAPSLOCK complaints on Twitter and in other channels when we discovered that when installing Windows 8, we were constrained to a maximum length of 16 characters for our password. This limitation is due to Microsoft; by default you will either create or use an existing Microsoft account (Xbox, Hotmail, Live, etc) for logging in to Windows 8. Yes, that's right; your new & shiny Windows 8 installation just became part of the "cloud".

In a blog post from the Windows team entitled "Inside Skydrive, Hotmail and Messenger - Keeping your Microsoft acount more secure" from July 15, 2012, you'll find a lot of answers - and a bit of confusion. 

First the positive part:
  1. The blog post has some good info on how Microsoft handles leaks from other sites, in order to protect their own customers.
  2. They list 7 actions you can - and should - do to protect your account better.
  3. Microsoft really seems to answer and care about the feedback they get.
Then the not-so-positive part:
  1. "MondayBlues" has the very first reply to the blog post, specifically pointing at the maxlen16 issue. He also mentions other limitations such as an inability to use certain special characters in password hints etc. While this makes sense in order to avoid mistyping questions or answers and increasing the risk of locking yourself out of your account, it doesn't make sense for those of us who wants to be just a bit more paranoid than the average user.
  2. The reply from Eric Doerr at Microsoft is good with lots of honest information, but it still raised my concerns about Microsoft practices. He writes: "Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market." As I read it, Microsoft is launching a new product (Windows 8), with default security severely limited by a varied range of "old" products & services from Microsoft. I find that a bit difficult to understand, not even mentioning the "default-use-the-cloud" approach. (Please don't tell me you just do what Apple have already done a long time ago)
  3. Although the blog post is not about Windows 8, I hope & believe this is better explained somewhere else, because you can in fact bypass this maxlen16 limitation quite simply, as shown here:

    If you want to use your 16+ passphrase, your Yubikey in static password mode or something else that gives you password peace of mind, you can still do that by creating a local account instead of an online Microsoft account. Pretty simple really:
    [Windows 8 installation, with alternate local-only account option]

    [Explanation of the limitations of setting up a local account]
    As you can see from this image above, chances are you'll need that Microsoft account pretty fast anyway. Until they fix their stupid len16 limitation online, I'll suggest keeping your local operating system account separate from any online account.
  4. Good Password recommendations. The number 1 advice is to create strong and unique passwords. In fact the blog post link to this article at Microsoft: Create Strong Passwords. That article has recommendations, and also points to Check your password - is it strong? . That is - you guessed it - a password meter. (I've warned about trusting password meters before, see here, and here.)

    Hm. How to create strong passwords? Well, Microsoft provides examples, starting with a sentence, and then "obfuscating" it into a good password. Here it is:
[Example sequence for 'obfuscating' your password/phrase]
ComplekspasswordsRsafer2011. Not the worst I've seen, but remember folks; NEVER EVER USE THIS PASSWORD ANYWHERE. EVER. Because it either is, or will be in the hackers wordlists very soon, just like correcthorsebatterystaple is.

But wait; No fun? Well, lets just point out a few fun facts here:
  1. None of the examples above can be used with your Microsoft account at present.
  2. alas; None of the examples can be used with Windows 8 if you choose to go with a Microsoft account
  3. From start to finish, any version of the example passphrase given by Microsoft receives the same score:
[Thank goodness Microsoft does not guarantee anything with this password meter...]
In summary:
I get it; you will need a Microsoft account anyway when you want to go shopping apps from their online store. You know; just like the well-known patent troll (no names mentioned). What I don't get is why they haven't been able to fix their lengh issues BEFORE launching Windows 8. People WILL go for default, and they WILL complain about this. Even worse; it WILL become easier to get unauthorized access to peoples Microsoft accounts as well as their home systems because of this. (Microsoft will probably earn from every text message sent out in order to do password resets for you as well, but that's more of a financial discussion). 

Picture Password

Microsoft has 2 blog posts [One, Two) about picture password. Number 1 describes picture password as a feature, including the research made for deciding upon features and limitations in the technology. Post number 2 has more details about the security of it (from a math guy....), including 8 "best practices" for using picture password. I've been very interested in this since I heard about it the very first time, as the idea of using gestures on a personally chosen picture to log in seems like a very good idea from a memorability/usability perspective. Which is, after all, very important for the success of most products. So here is what we get when we choose to configure a picture password for an account in Windows 8

Clearly Microsoft expects us to have touchscreen PCs in the future. I have an iPad, I guess that's not the same thing. From the very beginning I've been thinking that a picture password will be very user friendly on a tablet, but rather awkward on any computer without a touchscreen.

Notice that Microsoft allows you to use circles, straight lines and taps. Please do read the blog posts from Microsoft as referenced above, they really do explain the design, usability & security reasoning behind these gesture selections.

After selecting a completely random picture from my vast image library and making some gestures using my Wacom Bamboo Fun :
[No, that's not my hand. I'm not handing out fingerprints online.]

Then this is suddenly my login screen:
[Completely random picture from my collection, I swear!]
Now if you can re-focus your eyes over to the small text on the left side there, you'll see "Switch to password". As far as I've searched, I have found no way to actually disable the use of a password, so logging in with a password will always be possible. To me that means picture password is more of a usability feature rather than a security feature since it can be so easily circumvented.

I think somebody with way too much time available - like researchers at universities - should look into what pictures people are choosing for  their picture password, and then ask for patterns used. I wouldn't be surprised if there are certain types of pictures as well as patterns appearing, and with different classes of pictures (people, nature, objects) we'll see associated patterns to go with each class.

Anyway; there's more to explore. You can set your own PIN, so you don't have to type in that crappy 58 character cyrillic-cantonese mixalphanumericspecials passphrase every time you log in to play Battlefield 3.

PIN Code Login

So what is there to say about Microsofts implementation of PIN code security in Windows 8? Well... get your CAPSLOCK ready, because this does seem pretty stupid:

Yup, that's correct. Your PIN must be 4 digits. Not 3, not 5. You can only use 4 digits. Good bye, telephone numbers, social security numbers and.. well... a pretty big keyspace that could be used.

Lets be realistic here; the new GUI of Windows 8 seems optimized for tablets with touchscreens. Big or small. Now try setting ComplekspasswordsRsafer2011. as your password on your tablet, or even better: your smartphone. Pretty friggin' hard to type in that password using the virtual keyboard on your screen, right?

So this is where picture password is a pretty nice idea. Using PIN is - Err... COULD - be a good idea for Windows 8, but since it has to be exactly 4 digits, not such a good idea after all.

From a usability perspective you want to display the "digits only keyboard" onscreen whenever and wherever the user is to input just digits, like a PIN, phone number, social security number etc. From a security perspective displaying the very same "digits only keyboard" will show any attacker that the user obviously uses a PIN for accessing his/her device. Add to that the knowledge of Windows 8 requiring 4 digits, and nothing else as PIN, Microsoft just made it that much easier to bruteforce the entire thing.

Oh, and by the way Microsoft; Apple iOS and Android allows the user to choose how many digits they want in their PIN. Well, there's probably an upper limit of course, haven't tested it yet. Second tip for Microsoft: There are some seriously smart scientists at Cambridge University that have been researching peoples choice in PINs. I've blogged about it before, and you can learn even more about it by listening to Howard Smith from Oracle UK, who talked about PIN codes at Passwords^10. Video recording of his talk is available as 720p MP4 video here.

So now my (Microsoft) account settings in Windows 8 look like this:

[Notice that you cannot remove or disable the use of a password in Windows 8]

 Login Display (With All Features Available)

So here we are, with my login screen filled with fun options for logging in. The picture password, the 4-digit PIN or enter a password. Hmmmmm. Now which of these alternatives could possibly be the easiest to figure out, and then get access to my files & information? (Hint: Cambridge made a Top 100 list of PINs during their research, see above links.)


1. Picture Password
Again from my security usability perspective, I really like the idea of Microsofts picture password. Its a fresh and innovative idea as I see it. In due time we'll eventually discover how well it works for people, if they ever figure out how to configure it inside the Windows 8 settings. Then we'll need to take closer look at how well it eventually protects people, as I believe people will use pictures within certain categories, and many will use probably use 1 out of a limited set of different gestures as their "password".

2. PIN Code
I'm sorry Microsoft, but this is WRONG, WRONG, WRONG. How could you? I just can't understand the reasoning behind not allowing anything else than a 4-digit PIN. Sorry, but that's a #FAIL for now.

3. Password
Well, it is still NTLM. It is still unsalted. It is still available for extraction, fast cracking & forwarding using Pass-the-Hash and more. To be honest I would like to see an option where I could disable password login completely (at least locally), only relying on my picture password and/or ... Err... ehm... Well... 4-digit PIN. For now.

4. Further research
We can extract, crack and pass on the hash. We can also extract the password hints stored in registry. Now I would really like to ask the experts out there to figure out how the PIN is stored locally, as well as the picture password gestures. You know, just for curiosity and research, not for evil. Of course I believe Microsoft have those data very safely stored.

Who would think otherwise for a brand new product based on XX years of experience as the market leader?