Analysis of Passport Flaws

An anonymous reader sent us an excellent (and technical) paper describing problems with Passport its not lame anti ms rhetoric, its actually a well written technical assesment of security problems with the unified login that passport aims to achieve. This is a good read.

Missing the forest for the trees ...

[nicodaemos]

The article does a good job of articulating specific issues with the Microsoft's Passport system. Other people have suggested that we should perhaps look to XNS [xns.org] or other open source single signon systems. However, I believe they are missing an important piece.

This is important because users tend to pick poor (guessable) user names and passwords ...

Yes, that's right. What good is a strong single signon system that auto authenticates distributed sites, when the single signon itself may be weak? How much will 3DES encryption protect you when your password is "Swordfish"? You may recall the slashdot article [slashdot.org] that discussed how the average person tends to do a poor job of picking a secure password.

Fundamentally, Microsoft's passport or any other single signon system is as weak as their weakest link. Which, in many, cases appears to be the original signon authentication. I don't see them really catching on until that problem is better addressed.

These systems will have a much better chance when biometric authenticators become ubiquitous. Then hackers will have a much harder time impersonating you at the single signon.

However, no single signon system is perfect and the world is going to get a whole lot nastier when biometrics arrives en masse. Someday, we'll wax nostalgic about happier times when hackers only attacked computers and didn't pull out your eyeball to break into your bank account. I just saw Demolition Man recently in which Wesley Snipes does a very nice job of faking out a retina scanner with this method - truly gruesome.

Bah, none of these single signon systems for me. I'll just stick with my secure method of appending the site url to "password". Even if someone compromises one password, they won't know the rest!

This entire discussion violates the DMCA

[crovira]

And that was the point.

Now you can't discuss the weaknesses you find in an open forum so they can be addressed. You can only discuss it illegally through encrypted e-mail with others who will exploit them.

The DMCA was NOT an improvement.

Re: Do we really *need* Passport?

[zerocool^]

..if the proper privacy and security issues can be addressed.

The inherant problem with this technology, however, is that in order to have a secure, single sign on, somewhere there has to be a database, accessable to the internet in some fashion, which has the username, password, and private information of whoever wishes to use it. There's just no way to get around that. And no matter what platform this system is running, there will be never ending attempts to bring it down or r00t it.

Plus, i don't like the idea of my private information being the property of a corporation.

~z

We need an alternative

[infiniti99]

There's nothing particularly wrong with single-signon, just so as long it is done securely and the data of everyone on the planet isn't stored in one bank. Users are going to like the convience that Passport provides. Thus, we need a good alternative.

I found this [madasafish.com], which discusses a way of doing a Passport-like identification over Jabber, dubbed "Jident". Maybe this, or something like it, could be implemented as a proper open-source/distributed counter to Passport.

Jabber is definitely what the world should be using instead of this new "Windows Messenger". Perhaps an alternative to Passport could be added/layered to it as well? Definitely check out that Jident page, especially the bottom where it lays out the pros and cons (and a neat scenario).

Maybe something like this will be discussed at JabberCon [jabbercon.com].

-Justin

Re:Windows users

[crazney]

no, they dont "Force" us to use these things.. But, as passport grows and more sites use it, it will be almost impossible not to have a passport account. If you want to use service X you will have to sign up with microsoft.

The example of msn/communites was just from personal experience. I am unable to communicate with many of my friends over the net cause I refuse to sign up to passport - sure its my choice, but in my oppinion they are abusing their monopoly with this.
It will become worse when many other merchants are using passport.

The Power of Passport...

[Thomas M Hughes]

Well, my first question is really "Does anyone outside of Microsoft actually use passport for authentication?" Microsoft uses it a lot for MSN Messenger, Hotmail and all its other stuff, which isn't really bad (for Microsoft products that is). However, I have yet to see Passport used _outside_ of Microsoft.

Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.

Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.

But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.

Re: Do we really *need* Passport?

[Magic5Ball]

I think that XNS has a chance of doing this type of thing better than any of the closed source alternatively like Passport.

Holy fsck is that ever ignorant!

Why are open-sourced foo always better than closed-sourced or company-owned foo? And why do most /.ers just accept that on faith? Sure, many great things have come out of open source, but that does not automatically qualify everything stamped with GPL/BSD/licence-du-jour or appears to have a transparent process as a Good Thing, just as not every thing published by the big-bad-company is a Bad Thing.

As it stands now, Passport exists, appears to be scalable, and works most of the time, which is a lot more than I can say for XNS. And yes, Passport has problems right now and will have problems in the future, as will XNS. It's a part of the development process which can't be avoided but at least Passport is out there now, being used, attacked, and debugged, before it or anything else becomes somewhat of a universal standard when real $$ is at stake.

And given the choice of who to fix an emergent security concern in their respective systems, would you trust the well-intentioned staff of XNS, who are either very knowledgable but potentially few and far between (cf recent slashdot and K5 outages), or somewhat knowledgable and found in abundance; or Passport, staffed 24x7 by an army of people who at least know what they are doing and are eventually liable to shareholders and business partners who have multi$billions to throw around (or not)?

XNS and anything else that comes along will necessarily have to learn from the mistakes made by Passport now, and I don't think that's a Bad Thing. As it stands right now, the afore-mentioned army of developers _who evolved the current system over 5+ years and must listen and respond to customer and partner concerns or lose business measured by six or seven zeros on a daily basis_ aren't getting it entirely right, so why would I think that an emergent cadre of excellent but not-entirely-devoted developers with comparatively zero funding can _build and maintain_ what amounts to a public infrastructure (something which doesn't lend itself well to being maintained by an entity, staffed by few enough people that they can all be killed in one incident, and without real-world liability for failure) to serve billions of people world-wide? I don't.

</rant>

Re:Why not local machine database?

[Anonymous Coward]

The idea behind passport and a centralized approach is so that yourinformation is available EVERYWHERE. If you went to a place that has internet enabled kiosks and you wanted to access your information you would have to have synced it with this system. Using passport, or another system like this, the user doesn't have to worry about syncing at all.

Perhaps a better approach would be to create smart card tehcnology that holds this information. The biggest security risk here is losing your smart card, probably about as damaging as losing your credit card, perhaps more so, but it's realistically the only alternative. Syncing is not alternative becaus eit limits where your data can be accessed from.

Keep in mind that many of the systems Passport and Hailstorm, because the two are intrinsically intertwined, do not exist. Passport and Hailstorm could conceivably eveolve into smart card technology or PDA bsed systems that use IR or Bluetooth to communicate with each other. These two technoogies represents innovation and the future of computing systems. Let them flourish and see where they take us. Don't rip them out with the weeds because you don;t understand them.

Re:Hailstorm.

[Malcontent]

The corporation is guilty and should be punished. The punishment for this ought to be dissolving of the corporation and seizure of it's assets. The executives are guilty because it was they who made the decisions and used the corporation to commit crimes they should be jailed. The shareholders are guilty because they did not restrain their corporation and did not exercize their duty monitor and influence their corporation. The executives were serving the shareholders after all. They will be punished when the assets of the corporation are seized and the value of their shares go to zero.

Now maybe a small minded stupid fuck thinks that this is rich envy but that's because the idiot apparently thinks that all rich people commit crimes. Or maybe the moron is incapable of understanding that the legal system has already determined that these people acted in a criminal manner. Perhaps the dimwit thinks it's wrong to punish criminals who are rich because "they commit less crimes then any random 10,000 people" but I hope to god stupid shitheads like that never get in power. We in this country already let the Rich get away with murder.