The threat of identity theft is certainly one that everyone that uses a PC or any device that connects to the Internet, has to be aware of. Microsoft's upcoming Windows 8 operating system will have some new security features that will help with protecting a person's own digital identity. In the latest post on the Windows 8 developer's blog site, Microsoft's Dustin Ingalls, who is a group program manager on the Windows 8 security and identity team, writes more about this particular subject.
One big issue with securing your personal identity details on the Internet is the use of passwords. As Ingalls states , the average person has about 25 different online accounts that he or she uses. He says. " ... the number of unique passwords across those 25 accounts is only about 6. For folks who spend time thinking about security, that’s a worrisome finding as it shows that the average person reuses the same password quite frequently across accounts."
There are two ways around this issue, according to Ingalls. He writes:
One approach is to enable Windows to help you manage your passwords. If you could have complex, unique passwords for each website you visit without having to remember them all, that would certainly be easier than having one easy to remember password – at the same time, the complex password would make the business of compromising your identity much more difficult for hackers.
The other approach is to not use passwords at all. Ingalls says that while there have been a number of different approaches to securing an online account that don't involve the typical password he adds, " ... they haven’t exactly caught on for mainstream use—mostly because they’re just not as easy to use as a password." Windows 8 will actually allow users to manage different passwords but Ingalls says it will also support a number of alternative methods as well.
He goes over a list of issues with using the typical password approach including phishing attacks, keylogging, cracking or simply guessing a password. While there are ways to keep hackers from getting to your password such as cleaning a PC free of malware or using complex passwords, Ingalls says Windows 8 will offer two ways to help protect users with multiple passwords.
One is offering a way to store and protect multiple passwords such as in the screenshot above. Ingalls says:
Internet Explorer 10 uses the credentials that we store to remember names and passwords for websites you visit (if you choose). In addition, anyone building a Metro style app can use a direct API to securely store and retrieve credentials for that app. (It is important to note that IE respects instructions from websites about saving your credentials – some websites specifically request that passwords not be saved.)
The other method revolves around Windows Live ID for signing into Windows 8 itself. He states:
When you store credentials in conjunction with signing in to Windows with your Windows Live ID, Windows enables you to set your password for each account to something that is both complex and unique; since Windows 8 will automatically submit the credential on your behalf, you’ll never need to remember it yourself. If you need to see the actual password at some point later, you can view it in the credential manager shown here, from any of your Trusted PCs.
But what about using something other than a normal password to secure your digital information? Ingalls states that one method is something called public/private key pairs. He states:
Public/private key pairs differ from passwords in that they are an “asymmetric” key – the private key and the public key are different, and knowledge of the public key doesn’t enable the attacker to derive the private key. Put very simply, in a public/private key sign-in scheme, when you want to sign in to a service, the service sends you a sign-in request, you sign the request with your private key, and the service then uses your public key to read the signature, proving cryptographically that the sign-in request was signed by whomever holds the corresponding private key.
This method prevents a password being detected by keylogging schemes. It also requires some dedicated hardware such as "smart cards" and card readers which is why it hasn't really been used by the mainstream Internet user. Ingalls says that Windows 8 will support public/private key setups for security. He states:
Windows 8 includes a new Key Storage Provider (KSP), which provides easy, convenient use of the Trusted Platform Module (TPM) as a way of strongly protecting private keys. A TPM is a trusted execution environment found on many business-class PCs today (and we expect much broader availability of TPMs when Windows 8 ships), which enables a PC to securely store cryptographic keys. Metro-style apps have APIs that make it easy to automatically enroll and manage keys on your behalf.
In addition, Windows 8 will support what is being called a "virtual smart card." Ingalls states:
This solution is more convenient and economical because you don’t need a physical smart card reader, but deployment is also easier because the virtual smart card functionality works with existing smart card applications and management solutions. The virtual smart card feature can be used in place of existing smart cards with any application or solution that is smart card compatible – no server- or application-side changes are required.