I recently came across the following popup:
For some unfathomable reason, the blithering idiots at Microsoft decided your Windows 10 username and password wasn’t good enough. They are now trying to “encourage” you to use either a PIN or facial recognition software. Soon, however, they’ll start forcing people to adopt the change.
As an IT security consultant with 30+ years in the business, I have major issues with their plan.
1. How is a 1 in 1 billion PIN (9 digits) better than a 1 in 636,954,190,679,126,495 (637 quadrillion and also 9 digits) password?
That’s just STUPID, and it sounds like STUPID MARKETING TRICK #18,294,549.
They claim, “But keyloggers…” Keyloggers are either physical devices or software that intercepts your keystrokes and sends then to a database somewhere online for analysis and later use by hackers.
If you’re using a USB expansion hub for your wireless keyboard and mouse RxTx, you stand fair chance of having already been hacked. Various chipsets from overseas, found in a number of motherboards, have also been hacked to perform keylogging.
Microsoft’s solution is to use a mouse-entered PIN. While this defeats keyloggers, it doesn’t defeat hacked motherboard chips, UNLESS the OS makes the numbers appear in random positions on the screen.
Here’s the PROBLEM: For a six-digit PIN on a ten-digit keypad, even with the numbers scrambled randomly, there are only 151,200 permutations.
But what if you had a dozen instances of each number scattered randomly all over the screen and users could use any of them? Now, your permutations climb to 2,629,976,731,200. Make it a 10-digit pin and you’re looking at 421,188,206,644,390,348,800 permutations.One problem is, a relatively smart virus can easily determine what numbers are in what position on the screen and follow the position passed by your cursor when you click on it.The other problem is, that’s not what Microsoft is doing. They’re having you enter your PIN via your keypad. That’s no security at all! And if they do use a mouse-selected keypad, they will probably NOT scramble the number placement, much less toss 120 of them all over the screen.
Meanwhile, I know my laptop’s chipset wasn’t hacked during manufacture, I do not use a USB hub, I maintain physical security of my device, and use random passwords of at least 24-characters length. Thus, the relative strength of my approach is 5,015,417,659,062,895,539,832,341,616,624,597,008,384,000,000.
Now you see why I don’t trust Microsoft with my security.
Grow a brain, Microsoft. For 99.9% of all users, the old tried and true password approach is good enough. For those who use poor passwords, oh well — sucks to be stupid.
2. How well does facial recognition software work if I grow fat, thin, change hair styles, become disfigured in an accident, have a twin, have a doppleganger?
That’s just STUPID, and it sounds like STUPID MARKETING TRICK #23,877,590.
3. But “Sign into Microsoft for enhanced security?” I most certainly am NOT going to use any logon scheme which requires me to be connected to the Internet!
Here’s WHY: Power Outage.
Microsoft is DAFT.