Wednesday, January 6, 2010

Let's see some I.D.: Passwords and Other Forms of Authentication

Published by Sunbelt Software FORUMS | RSS | MY PROFILE | PRIVACY  

Vol. 2, # 17 - Jan 7, 2010 - Issue # 17 
 Let's see some I.D.: Passwords and Other Forms of Authentication

This issue of Win7News is sponsored by
  1. Editor's Corner
    • Let's see some I.D.: Passwords and Other Forms of Authentication
    • Quotes of the Week
  2. Cool Tools
  3. News, Hints, Tips and Tricks
    • Playing God with Windows 7?
    • Inkball on Windows 7
    • 50% discount on Windows 7 for SMB customers
    • Display your desktop on your TV - wirelessly
    • Latest contender for the title of iPhone Killer
  4. How to: Using the New Windows 7 Features
    • How to create a password reset disk
  5. Windows 7 and Vista Security
    • Hackers expected to target Windows 7 in 2010
  6. Question Corner
    • Copying music to my hard drive
  7. Windows 7 Configuration and Troubleshooting
    • Customize default user profiles in Windows 7
    • Network Monitor 3.3
  8. Fav Links
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  9. Product of the Week
    • 20 Free PC Performance Reports

20 Free PC Performance Reports

For nearly a decade, PC Pitstop has helped computer users like you troubleshoot their systems and save money by fixing common issues that plague PCs.

Run the Free PC Matic Scan today and receive 20 Free Reports detailing the overall health, security and speed of your computer.

Get Your 20 Free Reports Now!

Editor's Corner

Let's see some I.D.: Passwords and Other Forms of Authentication

Once upon a time, Microsoft operating systems (MS-DOS and the first versions of Windows) were designed to run on a non-networked PC with a single user. Thus the OS didn't care who you were and you didn't have to log in or otherwise identity yourself to use the applications. Windows for Workgroups 3.11 was the first to have built in networking support, but it still was not created to be a multi-user system. Windows 95 added support for multiple user profiles, but NT was the first Windows OS with serious security mechanisms for protecting one user's files from another. This required some way for different users to differentiate themselves to the operating system.

From the user's point of view, the way you access most computer systems - whether Windows, UNIX/Linux, Mac, or other proprietary operating systems - is by entering a user name and a password. The combination serves to identify you to the OS; the assumption is that if you know the password that goes with a particular user account, you are the owner of that account.

Early systems stored these passwords in clear text in a database on the system. This was obviously an insecure method, so it was replaced by more secure methods. Later operating systems ran the password through a mathematical function called a hash function and stored the hash value instead of the password itself. More modern methods include challenge-response and Kerberos, but for the user, nothing has changed; you still enter a user name and a password to log on.

This was no big deal when we had a single user name/password to remember. Today, however, most of us are juggling many different passwords and trying to keep them straight in our heads. In addition to our Windows logon password (which may be different from our network logon password - and in fact, we may have several of the latter if we need to log onto different networks, such as one at home and one at work), we also must remember passwords for protected web sites that we visit. Everything from ordering a pizza online to conducting a million dollar wire transfer through your banking web site requires a password, and best security practices (and common sense) say it would be foolish to use the same password for everything. If that one password were compromised, the unauthorized person would have the keys to the entire kingdom.

If you're like me, you probably have user names and passwords for all or many of the following: online publications that you read (newspapers, tech sites), restaurant reservation services such as Open Table and/or individual restaurants, accessing your bank accounts, paying your credit card bills, paying your utility bills, online shopping sites such as Amazon or NewEgg, vendor sites for your major electronics such as Dell or HP or Sony, forums and discussion boards in which you participate, social networking sites you belong to, and many more. Those are just the ones I can think of, off the top of my head.

Not only should each of those passwords be different (or at least each of the ones that deal with financial transactions), they should also be fairly complex. You don't want to use passwords that can be easily guessed or cracked with a brute force attack. Sure, you might think "I'm only ordering a pizza, for heaven's sake - and I'm paying cash at the door so I don't even enter my credit card information." Still, it would be no fun to have eighty pizzas show up one night (with the accompanying bill) because of some hacker's idea of a practical joke.

With our ability to get anything done online dependent on all these passwords, we have to come up with ways to manage them without going nuts. Many folks resort to allowing Internet Explorer to save their passwords for web sites, so they won't have to enter them each time they access those sites. The passwords are stored in encrypted form, but you can use a utility such as IE PassView to access the stored passwords if you forget them.

That's handy - but it means if someone else has access to your computer, that person could use the same means to view your passwords. Another risk of letting IE save your passwords is that if the browser is doing the remembering for you, you may forget the passwords yourself. Then if your system crashes and has to be reinstalled or you're away from your primary computer and need to access the site from another computer, you won't know the password.

Password management software can make it easier. Most of these programs store your passwords in a local database that's encrypted and protected by one strong master password. Some generate random passwords for you. The problem with password management software is the single point of failure it provides. If the master password is compromised, all of your passwords are at risk. Thus it's extremely important to safeguard that master key. There are a number of third party password management solutions, such as Roboform, Password Agent, TurboPasswords, and more. You can see a comparison of ten popular password management packages here:

Another alternative to memorizing lots of passwords is a single sign-on system. This allows you to log on once to a centralized authentication server and then gain access to multiple sites or resources. Windows Live ID is an example of a single sign-on system. Single sign-on systems that rely on passwords suffer from the same problem as password management software; if the password to the authentication server is compromised, the damage can be widespread because the attacker now has access to all the sites that use that system.

Because of the inherent risks associated with passwords, tech pundits have been predicting for years "the end of passwords." Bill Gates said it at the RSA Conference in San Jose, CA in February 2006:

Almost four years later, passwords are still with us. However, those systems and networks that contain sensitive data have moved, not to replace passwords but to supplement them with something more. High security single sign-on systems, for example, use multi-factor authentication. Multi-factor authentication still uses passwords (or PINs) but requires something additional in order to log on, typically a smart card or biometric input.

Microsoft operating systems have supported smart card authentication since Windows 2000. To gain access to the system, a user must have physical possession of the card in addition to knowing the password. Stealing the card and password is much more difficult than cracking the password alone. Windows 7 includes new features that make it easier to deploy and use smart cards. Driver installation is more automated thanks to support for the Personal Identity Verification (PIV) standard. Smart cards can be used to unlock BitLocker encrypted drives and to digitally sign email and documents without having to install additional software. You can read more about Windows 7 smart card enhancements here:

Another means for accomplishing two-factor authentication that's been floated for years, but hasn't quite caught on, is the use of your cell phone as the second factor. After all, it's something that most of us carry with us all the time, and it has an identification number that's unique. A couple of years ago, an article in Forbes touted this as a way to "stop cybercrime":

Years before, though, when New Zealand banks implemented cell phone authentication, security author Bruce Schneier pointed out some of the drawbacks:

Although using a smart card or cell phone to identity you is much more secure than using passwords alone, cards and phones can still be stolen. An even more secure means of authenticating identity is biometrics, which requires the user to provide a unique physiological or behavioral attribute. A password/PIN may or may not also be required. The most common form of biometric identifier is the fingerprint. Windows systems have been able to process biometric input in the past, and a number of high-end Vista laptops included fingerprint logon, but third party software was required. Windows 7 is the first Microsoft OS to include the Windows Biometric Framework. This makes it easy for developers to build biometrics into their applications, and makes it easier for users to manage biometric hardware devices (currently limited to fingerprint readers). You can read more about Windows 7 biometrics support here:

Will the 2010s be the decade when passwords go away for good? I'm not betting on that - but I do think we'll see multi-factor authentication become more common, and not just in the workplace. And I look forward to the day when I won't have to carry a dozen or more username/password combinations around in my head. How about you? Tell us what you think about passwords vs. other means of user identification/authentication. Would smart cards complicate things too much for the average computer user? Are people willing to pay the cost for additional equipment (card readers, biometric devices) in return for more security? Is biometrics the answer, or does it raise too many privacy issues? Are you thrilled or alarmed at the prospect of using your cell phone to authenticate your identity? Are you taking advantage of Windows 7's enhanced support for smart cards and biometrics? If not, would you like to? We invite you to discuss this topic in our forum at

'Til next week,
Deb Shinder, Editor

Follow Deb on Twitter

PS: Did you know this newsletter has a sister publication for XP users called WXPnews? You can subscribe here, and tell your friends:

And for IT pros, there's our "big sister," WServer News, at

Look for the Win7News fan page on Facebook!

Quotes of the Week

"Another flaw in the human character is that everybody wants to build and nobody wants to do maintenance." - Kurt Vonnegut (1922 - 2007)

"When a thing ceases to be a subject of controversy, it ceases to be a subject of interest." - William Hazlitt (1778 - 1830)

"You can't have everything. Where would you put it?" - Steven Wright (1955 - )

Kiss Your Antivirus Bloatware Goodbye

We asked users of antivirus products what they didn't like about their AV software. They told us they are resource hogs and slowed their computer down. They told us that scan times took way too long, and that the AV software nagged them. In short, old-style AV software takes too much Memory and CPU. Time to switch to VIPRE! It gives you malware protection that combines antivirus, antispyware, anti-rootkit and other technologies into a seamless, tightly-integrated product.

Even if you run "free" antivirus software, it hijacks 20% of your PC, so it's really not free at all! Get VIPRE now and see how fast your PC can really be:

Cool Tools


20 Free PC Performance Reports. The World's Most Comprehensive PC Health Scan is Free

Never reinstall your XP again. New technology: easy set-up, no loss of data or applications. The ultimate professional repair tool. Free comprehensive PC diagnostic with every scan, get it now!

PCmover: The Easiest Way to Move Your Old PC Programs and Settings to Windows 7

Do a search for a driver and you get a ton of Driver Software offers instead. But how do you know which one is good? Try Driver Genius 9.0. Free scan.

ExpertPDF 6.0: View, Create, edit and convert any PDF document. Discount for Win7News readers!

What was that password again? Organize password and order info with RoboForm. Saves me a ton of time and hassle! Secure password storage:

WhiteSmoke 2009 is an innovative proofreading and editing tool with a single aim - to help you write better.

Advanced Vista Optimizer does a great job tweaking Vista for Max performance.

Backups? Why back up when you can sync? Simply replicate every piece of data to another drive in real-time. Set it and forget it.

Your Uninstaller! 2008 takes the place of the clunky Windows Control Panel "Add/Remove Programs" and offers many other useful functions

Kill the background tasks belonging to (legitimate) software that run all day. Why? To get your speed back! But which ones can I kill? Try this:

News, Hints, Tips and Tricks

Playing God with Windows 7?

Before your imagination runs amok (or amuck) with power-hungry anticipation, let me say that I think the name is a bit over the top. Nonetheless, the newly publicized "GodMode" feature in Windows 7 is quite useful, as it gives you a way to access just about all of the OS controls from the same location. Find out more about it here:

Inkball on Windows 7

Windows 7 comes with a handful of built-in games, including Chess Titans, Hearts, Spider Solitaire and more. But one game you won't find in the menu is Inkball, which was available to Vista Ultimate users as an "Ultimate extra." If you're missing it now that you've upgraded to Win7, never fear. You can download and install it from this site:

50% discount on Windows 7 for SMB customers

If you have a small or medium sized business and you're running Windows XP and/or Office XP, you can now get big discounts just like Vista/Office 2003 or 2007 users, when you upgrade to the latest versions of Windows and Office as part of an Open Value Subscription (OVS) plan. You get the first year's payment at half price, and you get all the software assurance benefits (which include automatic upgrade to Office 2010 when it's released later this year). Find out more here:

Display your desktop on your TV - wirelessly

Of course you can hook up your computer's video card output to your big screen HDTV via a VGA, DVI or HDMI cable, but don't you already have enough wires cluttering up the place? A new device from Alereon lets you do the same thing, wirelessly. It plugs into the USB port on your computer and transmits to a receiver that's attached to the TV. They call it an "extender," which to me is a little misleading because it's not a full fledged Media Center extender, but I can see some situations in which this might be very useful. Check it out here:

Latest contender for the title of iPhone Killer

I've already written about the Motorola Droid and the Omnia II, both of which are great alternatives to the iPhone. Today Google finally unveiled their long-awaited Google Phone, called the Nexus One, and it looks pretty compelling. Made by HTC, it has a 3.7 inch AMOLED display like the Omnia II's (bigger and brighter than the iPhone's,) and a 1 GHz Snapdragon processor that blows away the processors in most other smart phones. It runs the Android 2.1 OS, an upgrade to the 2.0 version in the Droid. I like my OII, but this one is very interesting.

For now, it's only offered by T-Mobile, but it's going to get even more tempting when it comes to Verizon in the spring:

How to: Using the New Windows 7 Features

How to create a password reset disk

If you forget your password to log onto Windows 7, you can change it (without knowing the old one) by using a password reset disk. That's handy, especially for accounts that aren't used often (for example, my daughter has a user account on our "guest" computer here at the house but she only comes to visit a couple of times a year so sometimes she forgets the password). Remember to keep the disk in a safe place, though, because anyone else can also change your password and access your user account with it. Here's how to create it:
  1. Log onto the account for which you're going to make the disc.
  2. Decide what media you're going to use. It can be a floppy disk (if you have a floppy drive), USB stick, flash card or external hard drive. Insert or connect the media.
  3. Click Start | Control Panel | User Accounts.
  4. In the left pane, click "Create a Password Reset Disk."
  5. In the Forgotten Password Wizard dialog box, follow the instructions to make the disk.
Note that if your computer belongs to a domain, you cannot create a password reset disk. The domain administrator can reset your password for you.

Windows 7 and Vista Security

Hackers expected to target Windows 7 in 2010

Microsoft says Windows 7 is its most secure operating system yet, with a number of new or improved mechanisms for protecting your system from attack and your data from intrusion. But the popularity of the new operating system almost ensures that hackers will do all they can to find vulnerabilities in Windows 7 and exploit them. Thus Microsoft is ramping up to stay as far ahead of the game as possible and respond as quickly to possible to threats as they arise. Read more here:

Question Corner

Copying music to my hard drive

Everyone else probably knows the answer but I'm new to this. I want to copy some CDs I bought to my hard drive, just for my own personal use, not to share with anybody else. I tried just putting the CD in the drive and copying it with Windows Explorer in Windows 7 but that doesn't seem to work. What do I have to do? - Richard K.

In Windows Explorer, each track on a CD displays as a .cda file. CD Audio isn't really a computer file format. The files are basically .wav files. You need to "rip" them to a format that you can play on your computer. You can do this with Windows Media Player 12. You'll probably want to use a compressed format because if you use uncompressed (lossless) .wav , it will use a very large amount of hard drive space (from 1/2 to 1 GB for a one hour CD). However, this is the highest quality format so use it if you have a lot of disk space and want the very best. For small file sizes, select MP3 or WMA.

Put the CD in the drive and click "Rip Settings" on the WMP toolbar to select the file format, bit rate, name and location. Then click "Rip CD". Each track is saved as a separate file. For more info on ripping CDs, see

Windows 7 Configuration and Troubleshooting

Customize default user profiles in Windows 7

Several readers have complained to me that you can't customize mandatory user profiles in Windows 7. Actually, you can - but you first have to customize the default user profile and copy it to the appropriate shared folder. For step-by-step instructions on how to do it, see KB article 973289 at

Network Monitor 3.3

Network Monitor is the Windows protocol analyzer (a.k.a. "sniffer") software that has been built into various versions of Windows. The latest version, 3.3, supports Windows 7, Vista and Server 2008. You can use it to capture network data "live" as it travels across the network. For information on downloading and installing it, system requirements, and caveats for using this utility, see KB article 933741 at

Fav Links

This Week's Links We Like. Tips, Hints And Fun Stuff

Disclaimer: VistaNews does not assume and cannot be responsible for any liability related to you clicking any of these linked Web sites.

Product of the Week

20 Free PC Performance Reports

For nearly a decade, PC Pitstop has helped computer users like you troubleshoot their systems and save money by fixing common issues that plague PCs.

Run the Free PC Matic Scan today and receive 20 Free Reports detailing the overall health, security and speed of your computer.

Get Your 20 Free Reports Now!

 About Win7News

What Our Lawyers Make Us Say
These documents are provided for informational purposes only. The information contained in this document represents the current view of Sunbelt Software on the issues discussed as of the date of publication. Because Sunbelt must respond to changes in market conditions, it should not be interpreted to be a commitment on the part of Sunbelt and Sunbelt cannot guarantee the accuracy of any information presented after the date of publication.


This newsletter and website and may contain links to other websites with whom we have a business relationship. Sunbelt Software does not review or screen these sites, and we are not responsible or liable for their privacy or data security practices, or the content of these sites. Additionally, if you register with any of these sites, any information that you provide in the process of registration, such as your email address, credit card number or other personally identifiable information, will be transferred to these sites. For these reasons, you should be careful to review any privacy and data security policies posted on any of these sites before providing information to them.

The user assumes the entire risk as to the accuracy and the use of this document. This document may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) All copies must contain Sunbelt's copyright notice and any other notices provided therein; and 3) This document may not be distributed for profit. All trademarks acknowledged. Copyright Sunbelt Software, Inc. 1996-2010.

Win7News Archives
Looking for a past issue? Missing an issue? Accidently deleted an issue? Trying to find that article that pointed you to that cool site? All our newsletters are archived and are searchable:

About Your Subscription to Win7News
This is a posting from Win7News. You are subscribed as
Your personal W7N Number is: O52HI2

To manage your profile, please visit our site by clicking on the following link:

If you have feedback or wish to write to the editor, write to us at

Sunbelt Software
33 North Garden Avenue
Clearwater, Florida USA 33755

No comments:

Post a Comment

Thanks for understanding that we need to prevent the nasties.

Terms of Use

Personal & Educational Use Only This blog consists mainly of FREE newsletters from computer web gurus that I receive. I thought you might like to see them all in one place than try to discover them on your own. A moderate amount of editing may be done to eliminate unrelated repetitious ads or unnecessary text which bloat the post. However I have given the authors full credit and will not remove their site links because you deserve to see where it comes from and they deserve to get credit for what they have written. Your use of this site is simply for educational purposes. For more computer-related help go to: CPEDLEY.COM for free software, advice and tips on low cost products which are very helpful. If you want to contact the editor, please go CPEDLEY.COM and check the Contact page for email address.