Results 1 to 2 of 2
2011-12-14, 15:38 #1
- Join Date
- Mar 2001
- St Louis, Missouri, USA
- Thanked 1,059 Times in 928 Posts
Windows 8 - Protecting Your Digital Identity
Another blog post in Building Windows 8 - Protecting your digital identity.
2011-12-14, 17:53 #2
- Join Date
- Apr 2011
- Thanked 134 Times in 115 Posts
An interesting read.
Microsoft still have a few hurdles to cross however. IE10, although being a big improvement over some earlier offerings, appears only to enhance what is already available in other browsers: it will remember your credentials - albeit in a secured manner.
However, that doesn't overcome the issue of the user choosing a weak and easy to remember password. The article suggested that the average user has around 20 or so accounts and uses around 5 or 6 passwords. My experience suggests the number of passwords is significantly lower. In almost all cases of "normal users" that I encounter I find the user has just one or two passwords - and frequently these are dictionary words, or location/event based passwords that are easy to guess.
The issue of complex password generators has been debated many times here in the Lounge, so I won't go down that route again. However, what would be a useful improvement to the OS would be to automatically create and issue random and/or complex passwords, and also to enforce the user account login credentials to be complex.
The article effectively discussed this discussed while talking about TPM's, HSM's and Smart Cards, but those are really used for one-time keys rather than multiple use keys. What I have in mind is a software crypto engine that generates a random set of credentials per device, host or website: then the OS could recall those credentials securely and invisibly to the user whenever needed.
Ah-ha!, I hear you cry, what happens if the login credentials of the user are hacked and the system compromised? Well, to be honest, that's no different than at present and something I postulated in comments in one or two earlier Win 8 DP threads. To me, the key to that stage is to get the user credentials as secure as possible in the first place through complex password rules for login (or use biometric tools), and then, enforce Standard account use (rather than Administrator - similar to Linux) to limit attacks on the OS. From that point, one could securely manage automatically generated secure credentials for any devices or sites as required.