Sunday, August 26, 2012

Windows 8 Password Security

[Retro-style static boot splash graphic in Windows 8.]
I installed Windows 8 Consumer Preview (and some earlier versions as well) into a VM so that I could have a look for changes in password security. After quite a few screenshots etc from CP, I decided to wait for RTM, so that I wouldn't have to an entirely new one if there were major differences. I'm happy I did that. Lets take a look at what we get with Windows 8 in terms of password security.

Password Length Limitation On Install

Quite a few people - including myself - made CAPSLOCK complaints on Twitter and in other channels when we discovered that when installing Windows 8, we were constrained to a maximum length of 16 characters for our password. This limitation is due to Microsoft; by default you will either create or use an existing Microsoft account (Xbox, Hotmail, Live, etc) for logging in to Windows 8. Yes, that's right; your new & shiny Windows 8 installation just became part of the "cloud".

In a blog post from the Windows team entitled "Inside Skydrive, Hotmail and Messenger - Keeping your Microsoft acount more secure" from July 15, 2012, you'll find a lot of answers - and a bit of confusion. 

First the positive part:
  1. The blog post has some good info on how Microsoft handles leaks from other sites, in order to protect their own customers.
  2. They list 7 actions you can - and should - do to protect your account better.
  3. Microsoft really seems to answer and care about the feedback they get.
Then the not-so-positive part:
  1. "MondayBlues" has the very first reply to the blog post, specifically pointing at the maxlen16 issue. He also mentions other limitations such as an inability to use certain special characters in password hints etc. While this makes sense in order to avoid mistyping questions or answers and increasing the risk of locking yourself out of your account, it doesn't make sense for those of us who wants to be just a bit more paranoid than the average user.
  2. The reply from Eric Doerr at Microsoft is good with lots of honest information, but it still raised my concerns about Microsoft practices. He writes: "Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market." As I read it, Microsoft is launching a new product (Windows 8), with default security severely limited by a varied range of "old" products & services from Microsoft. I find that a bit difficult to understand, not even mentioning the "default-use-the-cloud" approach. (Please don't tell me you just do what Apple have already done a long time ago)
  3. Although the blog post is not about Windows 8, I hope & believe this is better explained somewhere else, because you can in fact bypass this maxlen16 limitation quite simply, as shown here:

    If you want to use your 16+ passphrase, your Yubikey in static password mode or something else that gives you password peace of mind, you can still do that by creating a local account instead of an online Microsoft account. Pretty simple really:
    [Windows 8 installation, with alternate local-only account option]

    [Explanation of the limitations of setting up a local account]
    As you can see from this image above, chances are you'll need that Microsoft account pretty fast anyway. Until they fix their stupid len16 limitation online, I'll suggest keeping your local operating system account separate from any online account.
  4. Good Password recommendations. The number 1 advice is to create strong and unique passwords. In fact the blog post link to this article at Microsoft: Create Strong Passwords. That article has recommendations, and also points to Check your password - is it strong? . That is - you guessed it - a password meter. (I've warned about trusting password meters before, see here, and here.)

    Hm. How to create strong passwords? Well, Microsoft provides examples, starting with a sentence, and then "obfuscating" it into a good password. Here it is:
[Example sequence for 'obfuscating' your password/phrase]
ComplekspasswordsRsafer2011. Not the worst I've seen, but remember folks; NEVER EVER USE THIS PASSWORD ANYWHERE. EVER. Because it either is, or will be in the hackers wordlists very soon, just like correcthorsebatterystaple is.

But wait; No fun? Well, lets just point out a few fun facts here:
  1. None of the examples above can be used with your Microsoft account at present.
  2. alas; None of the examples can be used with Windows 8 if you choose to go with a Microsoft account
  3. From start to finish, any version of the example passphrase given by Microsoft receives the same score:
[Thank goodness Microsoft does not guarantee anything with this password meter...]
In summary:
I get it; you will need a Microsoft account anyway when you want to go shopping apps from their online store. You know; just like the well-known patent troll (no names mentioned). What I don't get is why they haven't been able to fix their lengh issues BEFORE launching Windows 8. People WILL go for default, and they WILL complain about this. Even worse; it WILL become easier to get unauthorized access to peoples Microsoft accounts as well as their home systems because of this. (Microsoft will probably earn from every text message sent out in order to do password resets for you as well, but that's more of a financial discussion). 

Picture Password

Microsoft has 2 blog posts [One, Two) about picture password. Number 1 describes picture password as a feature, including the research made for deciding upon features and limitations in the technology. Post number 2 has more details about the security of it (from a math guy....), including 8 "best practices" for using picture password. I've been very interested in this since I heard about it the very first time, as the idea of using gestures on a personally chosen picture to log in seems like a very good idea from a memorability/usability perspective. Which is, after all, very important for the success of most products. So here is what we get when we choose to configure a picture password for an account in Windows 8

Clearly Microsoft expects us to have touchscreen PCs in the future. I have an iPad, I guess that's not the same thing. From the very beginning I've been thinking that a picture password will be very user friendly on a tablet, but rather awkward on any computer without a touchscreen.

Notice that Microsoft allows you to use circles, straight lines and taps. Please do read the blog posts from Microsoft as referenced above, they really do explain the design, usability & security reasoning behind these gesture selections.

After selecting a completely random picture from my vast image library and making some gestures using my Wacom Bamboo Fun :
[No, that's not my hand. I'm not handing out fingerprints online.]

Then this is suddenly my login screen:
[Completely random picture from my collection, I swear!]
Now if you can re-focus your eyes over to the small text on the left side there, you'll see "Switch to password". As far as I've searched, I have found no way to actually disable the use of a password, so logging in with a password will always be possible. To me that means picture password is more of a usability feature rather than a security feature since it can be so easily circumvented.

I think somebody with way too much time available - like researchers at universities - should look into what pictures people are choosing for  their picture password, and then ask for patterns used. I wouldn't be surprised if there are certain types of pictures as well as patterns appearing, and with different classes of pictures (people, nature, objects) we'll see associated patterns to go with each class.

Anyway; there's more to explore. You can set your own PIN, so you don't have to type in that crappy 58 character cyrillic-cantonese mixalphanumericspecials passphrase every time you log in to play Battlefield 3.

PIN Code Login

So what is there to say about Microsofts implementation of PIN code security in Windows 8? Well... get your CAPSLOCK ready, because this does seem pretty stupid:

Yup, that's correct. Your PIN must be 4 digits. Not 3, not 5. You can only use 4 digits. Good bye, telephone numbers, social security numbers and.. well... a pretty big keyspace that could be used.

Lets be realistic here; the new GUI of Windows 8 seems optimized for tablets with touchscreens. Big or small. Now try setting ComplekspasswordsRsafer2011. as your password on your tablet, or even better: your smartphone. Pretty friggin' hard to type in that password using the virtual keyboard on your screen, right?

So this is where picture password is a pretty nice idea. Using PIN is - Err... COULD - be a good idea for Windows 8, but since it has to be exactly 4 digits, not such a good idea after all.

From a usability perspective you want to display the "digits only keyboard" onscreen whenever and wherever the user is to input just digits, like a PIN, phone number, social security number etc. From a security perspective displaying the very same "digits only keyboard" will show any attacker that the user obviously uses a PIN for accessing his/her device. Add to that the knowledge of Windows 8 requiring 4 digits, and nothing else as PIN, Microsoft just made it that much easier to bruteforce the entire thing.

Oh, and by the way Microsoft; Apple iOS and Android allows the user to choose how many digits they want in their PIN. Well, there's probably an upper limit of course, haven't tested it yet. Second tip for Microsoft: There are some seriously smart scientists at Cambridge University that have been researching peoples choice in PINs. I've blogged about it before, and you can learn even more about it by listening to Howard Smith from Oracle UK, who talked about PIN codes at Passwords^10. Video recording of his talk is available as 720p MP4 video here.

So now my (Microsoft) account settings in Windows 8 look like this:

[Notice that you cannot remove or disable the use of a password in Windows 8]

 Login Display (With All Features Available)

So here we are, with my login screen filled with fun options for logging in. The picture password, the 4-digit PIN or enter a password. Hmmmmm. Now which of these alternatives could possibly be the easiest to figure out, and then get access to my files & information? (Hint: Cambridge made a Top 100 list of PINs during their research, see above links.)


1. Picture Password
Again from my security usability perspective, I really like the idea of Microsofts picture password. Its a fresh and innovative idea as I see it. In due time we'll eventually discover how well it works for people, if they ever figure out how to configure it inside the Windows 8 settings. Then we'll need to take closer look at how well it eventually protects people, as I believe people will use pictures within certain categories, and many will use probably use 1 out of a limited set of different gestures as their "password".

2. PIN Code
I'm sorry Microsoft, but this is WRONG, WRONG, WRONG. How could you? I just can't understand the reasoning behind not allowing anything else than a 4-digit PIN. Sorry, but that's a #FAIL for now.

3. Password
Well, it is still NTLM. It is still unsalted. It is still available for extraction, fast cracking & forwarding using Pass-the-Hash and more. To be honest I would like to see an option where I could disable password login completely (at least locally), only relying on my picture password and/or ... Err... ehm... Well... 4-digit PIN. For now.

4. Further research
We can extract, crack and pass on the hash. We can also extract the password hints stored in registry. Now I would really like to ask the experts out there to figure out how the PIN is stored locally, as well as the picture password gestures. You know, just for curiosity and research, not for evil. Of course I believe Microsoft have those data very safely stored.

Who would think otherwise for a brand new product based on XX years of experience as the market leader?


  1. It seems like Microsoft has also removed the possibility to use netplwiz for enabling autologin, if your using a Microsoft Account. However if you use a local account, autologin will still be possible.

    A small problem I have with the PIN code is that for some reason, "num lock" is always off on the logon page.

    The MS Account itself works like a SSO against MS services. Since I now can use a PIN, I could have a 16 random characters password for the login. A strong password should be needed because of the possibility to link a credit card with the account(you could already have one registered with this account if you use xbox live).

    It will be interesting to see how they solve the problem with linking Apps to the account. It would be nice if Microsoft could let the App use the build inn account in a safe way.

    In this way the user should not need to give away any credentials to a untrusted third-party. This is not possible on the Windows Phone 7(for non Microsoft apps).

  2. This is one of the best posts I've seen on Windows 8 password security. Thanks for putting all of this into one location.

    I think one thing to keep in mind is most of the methods you detailed are for home use laptops, desktops, tablets, and smartphones. Let's be honest, 4 digit pins are what I-phone users expect ;p Likewise most of the other methods are more to keep kids or snooping friends off your computer vs a skilled attacker.

    From a forensics standpoint, I'm very interested how Windows8 stores picture password info. While the gesture info can be hashed, it would have to be in a very general format. Aka "They started in section C drew in a downward motion and then moved left then up" vs "it looks like a U vs an O". Also my gut instinct is that people won't be very unique with this. Aka I'd almost be willing to bet that people will be tapping pictures of their kids faces. Of course, that won't matter much since once again the main threat model isn't skilled attackers.

    Also, I'd like to highlight another quote from the Windows Live blog posting about password re-use: "on average, we see successful password matches of around 20% of matching usernames". Having Microsoft come out and say that 20% of users reuse passwords for their Windows Live account is huge. Now we have some official numbers we can use when talking about how big of a problem that is.

    1. Thank you!

      Well, go ahead and try to figure it out! :-) I'm not capable of that stuff, I'm not a reverse engineer or a coder or anything....

  3. Per, thank you for your detailed review of security features in Win8!

    What do you think about voice biometrics security, just using your voice instead of letterd-numeric passwords?

    1. Thank you for kind words & questions Constantine!

      Voice biometrics, like several other types of biometrics, are also vulnerable to various types of attacks. By attacks I'm thinking anything from simple DoS situations (lots of background noise may decrease your ability to login), through obtaining your fingerprint and reuse it.

      For facial recognition there's the option of using a flat picture of you to defeat the system, while a 3D facial recognition system can be defeated by creating a sculpted mask (Tom Cruise - Mission Impossible style!). Worst thing is; it has been proven to work.

      I've chosen to concentrate on improving passwords, especially on the service provider side (better algorithms, hashing, salting, rate-limiting... you name it).

      As for biometrics I am still not convinced how secure it is (in most settings), and so far most solutions are offering methods for circumvention. Usually some kind of password. :-)

      If such options are available, the biometrics stuff becomes a usability improvement, which may or may not be considered better security.

  4. Theory Behind Pins:

    Combine with smart cards.

    If you've ever used an RSA login mechanism, the device at its root expects to see a pin+the rsa key. That's the gist here, it's just obfuscated and poorly explained. It's not a cellphone login key and they didn't mandate you have to run out and buy smart cards.

    Integrated RSA auth directly in this system would be nice though.

  5. Windows 8 picture password (as well as pin) is just a toy with lack of security. Here's explained why:

  6. Reporter Dan Goodin at arstechnica has this story, based on input from passcape, Adam Caudill, Brandon Wilson and me:


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.