Passwords Pose Windows Security Threat, Foundation Says

Asterisks bug Alex Konanykhin. Dots irritate him, too.

That’s because he believes they’re used by software makers to lull computerusers into a false sense of security when they enter passwords into theircomputer.

Because users can’t see the passwords hidden behind the asterisks, “mostusers believe they are secure,” the CEO of the Internet marketing companyKMGI.com told TechNewsWorld.

Users Seduced

He explained that dots and asterisks seduce users into opting for the “save password”feature in Windows because it saves time. What users are often ignorant of,he continued, is that anyone that uses that computer or accesses it from theInternet can harvest those passwords.

The problem riled Konanykhin so much that he set up an organization, the Internet Security Foundation, to educate the public about it.

According to the results of a straw poll of 240 Internet users released bythe foundation, 86 percent of the respondents believed that passwords hiddenbehind asterisks were securely protected.

Snubbed by Microsoft

Konanykhin, through his foundation, has solicited Microsoft to alert usersabout security issues surrounding passwords. “We wrote to Microsoft,” hesaid, “but Microsoft ignored all our letters.”

“The responsible thing for Microsoft to do would be to issue a securitypatch which would make passwords secure and preclude unauthorized access tousers’ online accounts,” he argued.

“At the very least,” he said, “Microsoft should have issued a security patchwhich would warn Windows users that such hidden passwords are not secure.Instead, Microsoft chose to ignore the issue despite our repeated warnings.”

Shoulder Surfing

According to a Microsoft spokesperson who asked to remain anonymous,”The asterisk mechanism for visually hiding password characters, usedthroughout the industry, is designed to prevent ‘shoulder surfing’ attacks,not to permanently encrypt and obfuscate passwords.

“The ability of a user to run a tool on an unsecured machine to see apassword they just typed is not a security threat,” the spokesperson toldTechNewsWorld via e-mail. “Claims from third parties that such toolsconstitute a security threat are overstated and irresponsible in that theymay raise undue fear amongst customers.”

Although security experts concede there may be some confusion among usersabout passwords hidden behind asterisks or dots, they discount the practiceas a serious security threat.

Low Security Threat

“What it comes down to is a general understanding of how machines can becompromised and how passwords and identities are stolen,” Craig Schmugar,virus research manager at McAfee Security in Santa Clara, California, said. “For the most part, there’s really not a good understandingof that from the general public.”

“In the grand scheme of things, this is on the bottom of the list of badthings that can happen,” he said of the asterisk issue.

Chris Novak, a senior security consultant with Ubizen, a New York City-basedprovider of managed security solutions for businesses, said that theasterisk issue has been known for years.

Not Seeing Is Believing

“Many applications, not only those by Microsoft, have been plagued by thisvulnerability — if you even want to call it a vulnerability,” he said.

“For most people, not seeing is believing,” he asserted. “They assume thatif they can’t see their password, then nobody else can see their password, sothey have a false sense of security that all their passwords are safe.”

If some miscreant wants to filch passwords from a computer, though, they’remore likely to use a means other than poking behind asterisks, he averred.

“From what our investigators are seeing in the field, more than 60 percentof password theft issues are still the result of key loggers and linesniffers,” he said.

“That’s down from previous years, mostly due to phishing,” he added.”Phishing has grown and taken away from the key loggers and line sniffers.”

Nix Passwords

For some security pros, the asterisk issue is just a fragment of a largerproblem. “Passwords are simply becoming inadequate for most businessapplications today as they are too easily stolen and reverse-engineered, andthey are also becoming very expensive for companies to manage,” VadimLander, chief identity architect in the Waltham, Massachusetts offices ofComputer Associates told TechNewsWorld via e-mail.

“My belief is that companies need to be looking at moving towards usingstronger authentication, such as tokens or biometrics, in place of or inconjunction with passwords,” he explained. “Those companies who areconcerned about assuring the security of their applications are looking atvendors to help get biometric technology adopted as part of the desktop OSsolution.”