We live in a world of usernames, passwords, and PINs when it comes to using our computing devices connected to the Internet. These are very important elements of the digital economy and providing the infrastructure for these in Windows is serious business. This work starts with the most basic step of signing in to Windows, and then includes the technologies used to secure the myriad of accounts you will come to use over time. In this post we take a look at the architectural improvements to Windows that enable even more secure management of your many passwords. Dustin Ingalls, the author of this post, is a group program manager on the security and identity team.
One of the challenges that we spent a lot of time thinking about while planning Windows 8 was how to help you manage your digital identity in a way that is both convenient and secure. In today’s world, there are a number of very interesting details with respect to digital identities, how they are used, and how they are protected.
Currently, the most common way people verify their digital identity is by using a password. Passwords are used to sign in to your computer, to your bank, to web merchants, and lots of other places. Our research has shown us that the average person using a PC in the United States typically has about 25 online accounts.(1) That’s a lot to keep track of! In fact, the data also shows that the number of unique passwords across those 25 accounts is only about 6. For folks who spend time thinking about security, that’s a worrisome finding as it shows that the average person reuses the same password quite frequently across accounts. Additionally, given that different websites have different password policies (some require alphanumeric with special characters, some disallow special characters, some have minimum password lengths, some don’t, etc.), it’s likely that the number of unique passwords across accounts would be even lower if websites actually had the same password policies.
On the one hand, that’s completely understandable. Remembering a bunch of different passwords is difficult, especially for accounts that we don’t use frequently. On the other hand, password reuse is very useful to hackers…they know that if they can learn your password for one site, it’s highly likely that you use the same password on other sites. Even worse, an attacker can often use your sign-in information to reset the password for other accounts where the password actually is different. For example, if an attacker can somehow gain access to the password for one of your accounts, there’s a strong probability that you use the same password for one of your web email accounts. Given that there are only a handful of major web email providers, finding yours is often pretty easy. Once an attacker gains access to your email, they can go to other common sites (major banks, major online merchants, etc), and use the “lost password” functionality to send a password reset link to the email account that they’ve already taken over.
(As an aside, the Hotmail team has spent a great deal of effort in redesigning the password recovery process for Hotmail. There are many ways that “bad guys” attempt to compromise online accounts (from all providers) and Hotmail is no different. When your account becomes compromised (or you legitimately forget your password), we have in place a number of security steps to make sure that you, and only you, can restore your account. While these might seem inconvenient, consider the relatively small amount of information you provided in order to sign up. That’s why we encourage people to add either a secondary email account, or even better, a mobile phone number to their account information. The latter is especially hard to duplicate or hack. If you do find yourself with a compromised Hotmail account, you can reset your password. And for those of you using public terminals or untrusted environments to access Hotmail, we encourage you to use a single-use password sent to you via SMS.)
Clearly, the overall user name/password framework leads to a set of interesting challenges. We all want the web to be frictionless, easy, and safe. Having to remember a whole bunch of complex passwords generally isn’t perceived as frictionless. However, using the same easy-to-remember password across multiple sites isn’t safe. The ideal solution here involves somehow finding a way to make it both easy and safe to use all of your different digital identities.
In thinking through this challenge, there are two basic approaches to making it both easier and safer to manage your digital identity. One approach is to enable Windows to help you manage your passwords. If you could have complex, unique passwords for each website you visit without having to remember them all, that would certainly be easier than having one easy to remember password – at the same time, the complex password would make the business of compromising your identity much more difficult for hackers. Another approach is to use something other than a password to help protect and establish your identity. There have been a number of alternatives to passwords available for many years—technologies such as One Time Passwords (OTP), certificates, smart cards, etc. However, despite some of the superior security properties of these password alternatives, they haven’t exactly caught on for mainstream use—mostly because they’re just not as easy to use as a password.
With Windows 8, we provide support for both the safe storage of username/password combinations, and technology to support alternate authentication; that is, we try to make it easier for you to enhance the security of your passwords, and easier to use newer and stronger techniques for protecting your digital identity.
Shortcomings of passwords
There are a number of different methods that attackers use to try to obtain your password. The most common methods are:
Phishing. Phishing involves tricking a user into revealing their password directly to the attacker. Common forms of phishing include “please reset your account” emails that either ask you to send in your password, or link to a website that looks like a popular website and ask you to enter your password.
Guessing. Given people’s natural preference for easy to remember passwords, attackers can often gain access to an account by simply running through the top 10 or 20 passwords most commonly in use on the Internet. Attackers can also make use of public information (perhaps based on your public social networking profile) to find other easy to guess passwords based on things like your favorite sports team or favorite pet.
Cracking. In certain situations, an attacker can capture a snippet of data (usually the password’s hash value) and use it to derive your password. There are freely downloadable resources on the Internet that enable attackers to derive passwords less than 8 characters in length very quickly.
Keylogging. If an attacker can successfully install a keylogger on a device, they can record each time you hit a key on your keyboard, and therefore easily pick up name/password combinations. This is an especially common attack on public PCs or kiosks. (That’s why, for example, using the single use code instead of a password for Hotmail is a good idea in such situations!)
Improving the security and usability of passwords
There are a number of important steps you can take to help protect against all of these types of attacks. One of the most important steps is to keep your PC clean and free of malware (to help against phishing and keylogging). Windows 8 includes a number of substantial features in this area that we’ve already covered in prior blog posts (Secure Boot, SmartScreen and Windows Defender enhancements, etc). However, some attacks (like guessing and cracking) rely only on password strength, so it’s important to use strong, complex passwords that are unique to each account.
Windows 8 simplifies the task of managing unique and complex passwords in two important ways. The first is by providing a way to automatically store and retrieve multiple account names and passwords for all the websites and applications you use, and do so in a protected manner. Internet Explorer 10 uses the credentials that we store to remember names and passwords for websites you visit (if you choose). In addition, anyone building a Metro style app can use a direct API to securely store and retrieve credentials for that app. (It is important to note that IE respects instructions from websites about saving your credentials – some websites specifically request that passwords not be saved.)
Windows 8 allows you to securely store and manage all of your sign-in credentials
The second important investment in this area was covered in an earlier post by Katie Frigon, Signing into Windows 8 with a Windows Live ID. One of the great things you get when you sign in to Windows with your Windows Live ID is the ability to sync the credentials you’ve stored to all of the Windows 8 PCs that you register as your “Trusted PCs.”
When you store credentials in conjunction with signing in to Windows with your Windows Live ID, Windows enables you to set your password for each account to something that is both complex and unique; since Windows 8 will automatically submit the credential on your behalf, you’ll never need to remember it yourself. If you need to see the actual password at some point later, you can view it in the credential manager shown here, from any of your Trusted PCs.
The same principles that keep your credentials safer on websites and applications also apply to how you sign in to your PC. The password you use to protect the account on your PC must be resilient to guessing and cracking. Windows 8 helps with this, helping you to set a very strong password for sign-in, while at the same time enabling a number of “convenience” sign-in methods such as Picture Password and biometrics. This makes it easy to sign in to your PC, without sacrificing security. We will cover Picture Password and other sign-in methods in more detail in a future post.
It is worth reiterating that signing in to your PC with a Windows Live ID, in addition to making sign-in easier, also offers improved sign-in security and gives you a clear path to recovery if you forget your Windows password. With a local password, if you forget your password, you’re in a tough spot – if you didn’t create a password recovery USB stick, you’re stuck rebuilding your machine from scratch. However, if you sign in to your PC with a Windows Live ID, you can reset your password from another PC. If your Windows Live ID password was stolen somehow, you still have the benefit of a number of Windows Live safety features that are designed to detect compromise and limit your account usage until you can successfully prove that you are the rightful owner of your account and recover your account. The account recovery workflow leverages two-factor authentication features (secondary account proofs) that you set up earlier, such as a mobile phone number or secondary email address (if you haven’t already set these up, we’ll ask you for them the first time you use your Windows Live ID with Windows 8). Also, even if your Windows Live ID is in a compromised state, you will still have full access to your PC since Windows will cache your last “known good” sign-in password (encrypted, of course) and allow you to use that to continue to sign in.
Creating an easy to use alternative to passwords
While a complex and unique password can be highly resistant to guessing and cracking, because it is what we refer to as a “shared” or “symmetric” key, it is still always vulnerable to phishing and keylogging. Since the key is shared between you and whatever you are signing in to, if the attacker can somehow gain access to your secret key, the game is up. However, there are alternatives that offer strong protection against these types of attacks.
One alternative is public/private key pairs. Secure Sockets Layer or Transport Layer Security (SSL/TLS) certificates are an example of this – these are the most commonly used methods for protecting network traffic on the Internet today. Public/private key pairs differ from passwords in that they are an “asymmetric” key – the private key and the public key are different, and knowledge of the public key doesn’t enable the attacker to derive the private key. Put very simply, in a public/private key sign-in scheme, when you want to sign in to a service, the service sends you a sign-in request, you sign the request with your private key, and the service then uses your public key to read the signature, proving cryptographically that the sign-in request was signed by whomever holds the corresponding private key. This is referred to as “proof of possession”. So long as you haven’t lost your private key, there is strong cryptographic proof that you are the real account holder signing in to the service. Since the actual private key is never exchanged, both keylogging and phishing no longer work. There are no keystrokes to log; and worst case, if a user is tricked into using their private key to sign an authentication request for a fake website, nothing useful is provided—the bad guys can’t re-use this information to sign in to the legitimate website.
Although this technology is used extensively on the Internet today, it still hasn’t replaced conventional password sign-in. Why not? The main reason is that strong protection of a private key typically requires dedicated hardware (typical examples of this are hardware security modules (HSMs) and smart cards), and historically, use of such hardware hasn’t been very convenient— if you lose the hardware or don’t have it with you, you can’t sign in.
Windows 8 has a number of new features that make it much easier for both users and application developers to make use of public/private key methods. Windows already provides fairly extensive support for use of key pairs and certificates; but strong protection of the private key, as I mentioned earlier, typically relied on HSMs or smart cards. Windows 8 includes a new Key Storage Provider (KSP), which provides easy, convenient use of the Trusted Platform Module (TPM) as a way of strongly protecting private keys. A TPM is a trusted execution environment found on many business-class PCs today (and we expect much broader availability of TPMs when Windows 8 ships), which enables a PC to securely store cryptographic keys. Metro-style apps have APIs that make it easy to automatically enroll and manage keys on your behalf. The Windows Dev Center provides a sample banking app that shows developers how to use this API.
The KSP feature is particularly useful for banking and commerce applications, since it provides very strong resilience against the most common types of identity attacks on the Internet today while leveraging hardware inside your PC to prevent malware from stealing your private key.
For organizations and businesses that already use smart cards, we’ve implemented a new feature that overlays the TPM KSP feature and enables the TPM to function as a “virtual smart card.” This solution is more convenient and economical because you don’t need a physical smart card reader, but deployment is also easier because the virtual smart card functionality works with existing smart card applications and management solutions. The virtual smart card feature can be used in place of existing smart cards with any application or solution that is smart card compatible – no server- or application-side changes are required. Also, Windows 8 continues to support cards compliant with the Personal Identity Verification (PIV) standard or the Generic Identity Device Specification (GIDS) standard. By using these standards, deployment of smart cards is made much easier in Windows 8. All of these options are available for signing in to Windows (on domain-joined PCs), apps, websites – anything that was previously accessible using a physical smart card. This short video shows this in action after it is set up via policy or logon script by your adminsitrator.
In a world that is becoming increasingly dependent on maintaining a secure digital identity, we are very passionate about finding ways to make your digital life safer and more secure, without making it more complex. We’ve spent a great deal of time and focus on this in Windows 8, and we are very much looking forward to hearing your feedback!
– Dustin Ingalls
(1) Source: Dinei Florencio and Cormac Herley, A Large Scale Study of Web Password Habits, Microsoft Research. 2007