Tag Archive for Encryption

| November 10, 2024
Comments Off on Smartphone Sanitizing: A Practical Guide

Smartphone Sanitizing: A Practical Guide

Smartphone Sanitizing: A Practical Guide Everybody loves to upgrade their smartphone.  Smartphones are replaced every 2 to 3 years. This love affair results in approximately 5.3 billion smartphones being discarded globally. If we lined up 5.3 billion smartphones end to end, they would stretch around the Earth approximately 120 times!  Unfortunately, most of these phones end up in landfills or incinerators instead of properly recycled. In this blog, I offer tips on wiping your data off the smartphone next time you change Android phones.

Personal data left on discarded smartphones can lead to fraudulent credit card transactions, unauthorized account access, and identity theft. Hackers can exploit this information to impersonate you or gain unauthorized access to your accounts. If you throw away your old smartphone, there’s no telling who might be able to get their hands on your hardware—and, by extension, your data. That is why you must take the following steps to wipe all of your personal data from your retired smartphone.

Who can see your personal info

Vendor software does not guarantee complete memory sanitation, and third-party products primarily focus on encryption. In any case, it’s challenging to ensure that a device has been securely “zeroed out.”

The recommended approach, although not foolproof, involves performing a factory reset on your smartphone. A factory reset will erase data and restore the device to its factory settings.

The specific steps will vary depending on the manufacturer of your device. This approach will, in all likelihood, make it extremely difficult for anyone without access to expensive, specialized hardware to recover any data that had been stored on the smartphone.

Disposing of an Android smartphone

ensure all important data is backed up.Backup your data: Before performing a factory reset on your Android phone, ensure all important data is backed up. Android 8.1 or later automatically backs up your text messages, but not your call log. To manually back up your Android:

  1. Go to “Settings.”
  2. Click “Google” > “Backup.”
  3. Tap “Back up now.”

Sync your apps with your Google account. Google apps usually sync automatically, but you can also sync them manually. Note that syncing non-Google apps requires checking individual app settings and syncing them manually.

  1. Go to “Settings.”
  2. Tap “About phone” > “Account sync.”
  3. Tap “More” > “Sync now.”

Next, back up your Google Photos:

  1. Open the Google Photos app.
  2. Sign in.
  3. Tap your profile icon in the top right corner.
  4. Tap “Settings” > “Backup.”
  5. Toggle “Backup” on.

Clean up you appsClean up your apps:

Now, delete saved passwords from your browsers and apps:

  1. Unsync them from associated accounts.
  2. Remove your SIM card and any external storage.
  3. Log out of your Google account.
    • Go to “Settings” > “Users and Accounts” and, select your account.
  1. Remove any payment cards associated with your Android phone:
    • Open the Google Play Store app.
    • Tap “Menu” > “Payment methods” > “More payment settings.”
    • Sign in to pay.google.com if needed.
    • Choose the payment method you want to remove and tap “Remove.”

Encrypt your smartphone:

Encrypt your smartphoneOnce you’ve finished cleaning up your apps, consider encrypting your phone. Encryption ensures that even if the new owner of your device tries to restore all your data, they won’t be able to access it. The steps for carrying out a factory reset vary slightly depending on the device manufacturer. These general steps should help you locate the specific options on your device.

  • Tap “Reset options.”
  • Choose “Erase all data (factory reset).”
  • Tap “Reset phone.”
  • Tap “Erase everything.” Your phone will be returned to the same state as when you purchased it.

You can then proceed with encrypting your phone.

  • Go to “Settings” > “System.”
  • Go to “Settings, Security & location.”
  • Tap “Encryption & credentials.”
  • Tap “Encrypt phone.”

Factory reset smartphone

You are almost done. The final task is to factory reset the smartphone. A factory reset will remove most of the data from your device before selling it. To perform a factory reset:

  • Go to “Reset options” > “Erase all data (factory reset).”
  • Tap “Erase everything.”

It’s important to note that a factory reset doesn’t guarantee complete data removal. While Android loses track of the data’s location, it might still be recoverable with specialized techniques. Moreover, Android Smartphones can’t overwrite this data.

Remove accounts: Lastly, make sure to remove your Google account and any other accounts linked to the device:

  1. remove any accounts linked to the deviceLog in to your Google account.
  2. Head to the “Recently Used Devices” section.
  3. Find the phone you are getting rid of, click on it, and then tap “Remove.”

Sign out of apps that store your login details, like Facebook and Gmail, and make sure they don’t retain these details.

rb-

If the device is going to be disposed of, you should take it to an electronic recycler or donate it to an organization that can repurpose it, like the National Coalition Against Domestic Violence.

Protect your privacy by securely wiping your old smartphone before disposal. Back up data, remove accounts, encrypt, and factory reset the device. Recycle responsibly.

 

Related article

 

Ralph Bach has been in IT for a while and has blogged from the Bach Seat about IT, careers, and anything else that has caught my attention since 2005. You can follow me on Facebook or Mastodon. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| March 30, 2021
Comments Off on It Is World Data Backup Day 2021

It Is World Data Backup Day 2021

It Is World Data Backup Day 2021The tenth annual World data backup day is March 31, 2021. World data backup day is a time to remember to backup the data on your computer, your phone and other mobile devices. Data backup is a not-so-hard way to avoid a disaster because your chances of losing your data are pretty good.

Consider the following:

  • 30% of people have never backed up
  • 113 phones lost or stolen every minute
  • 1 in 10 computers are infected with a virus every month
  • 31% of PC users have lost all of their files due to events beyond their control
  • 140,000 hard drives crash in the US every week
  • 60% of companies that lose their data will shut down with 6 months of the disaster

World backup day


Your data is worth more than your devices

Hardware is cheap and getting cheaper. What is the value of the new business plan you spent three months writing? The music and movies you have on your devices? The cute video of your kid’s trip to the beach or your puppy being a goof? You can get a new computer or phone, but you cant replace those important files without a backup.

Why you should have a data backup plan

There are several scenarios that could take place where having a backup of your data would be useful:

  • Your phone gets stolen, and you lose all your pictures and videos.
  • An external hard drive crashes, deleting your home videos.
  • You forget your laptop in a cafe and you’ve lost all your homework.
  • A virus holds your data hostage until you pay to remove the restraints.
  • You accidentally delete something important,

What to do?

backup your dataThe advantage of having your important data backed up off-site, away from your home or office, is that it’s safe from theft, fire, and other local disasters. When you backup your data, you’re making a second copy of files you don’t want to lose. Should something happen to the originals, you can restore the data backups to your computer or mobile device with a backup.

Technically, a backup just refers to any piece of data that exists in two places. The primary purpose of a data backup is to have a recovery plan should the primary data become inaccessible. It is common to keep backups offsite like online or, at the very least, on a second hard drive, even another internal one.

Your data backup options

There a 2 types of cloud services to hold you data backups. The first is a cloud storage service for keeping your data safely backed up online. A cloud storage service a place to selectively upload important files that you need to keep off of your physical device.Your data backup options

If you are a Microsoft 365 customer – OneDrive cloud back up is included in most plans.

If you prefer Google, Google Drive is a cloud backup option to investigate.

iCloud is cloud storage for Apple devices.

There are lots of other cloud storage services to pick from.

Some argue that using these services gives the tech-titans more access to your data. If that concerns you there is a second option.  Cloud backup services let you backup data automatically and on a schedule. There are many Cloud Backup services to chose from as well.

encryptionWhen backing up to the cloud be sure you understand level of encryption they offer. When you encrypt data, you encode it so only authorized people can read it. It is up to you to keep your backup secure. Use a strong password and choose the 448-bit option, the maximum encryption offered by many providers. It would take a computer millions of years to crack the encryption and gain access to your data.  

Don’t forget to test your data back up

Remember that you haven’t really backed anything up unless you can restore it.

Many people are unable to restore their data backup because they forgot or lost their decryption password – Keep it somewhere secure – But not in your back up. Or they never did a practice restore so they simply weren’t practiced enough in using their tool to use it reliably – when the pressure was on.

rb-

Whether to a USB drive, an external drive, the cloud or a private server, backup all that important data somewhere safe. Do this often.

Treat restoring data back ups like a fire drill – practice being safe  before the real thing happens and you aren’t fighting against both fear and unfamiliarity at the same time.

Stay safe out there !

Related article

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| April 6, 2020
Comments Off on What You Need to Know About Zoom

What You Need to Know About Zoom

Updated 12/01/2020 – Zoom has agreed to settle allegations (PDF) made by the US Federal Trade Commission (FTC) that it “engaged in a series of deceptive and unfair practices that undermined the security of its users.” Among the charges were that Zoom misled users by:

The settlement does not require Zoom to admit fault or pay a fine – So they got away with it.

Updated 05/01/2020 – Zoom made a big splash when CEO Eric Yuan claimed the video conferencing firm had surpassed 300 million daily Zoom meeting users last week. That’s impressive growth in the face of security and privacy holes documented on the Bach Seat and around the Intertubes.

Well in a Zoom tradition they “back-tracked” that announcement, just like they back-tracked their definition of “end-to-end encryption.” Zoom artificially inflated the number of users by counting meeting participants as “users” and “people.” 

Daily meeting participants can be counted multiple times – if you have four Zoom meetings in a day then you’re counted four times. SVCOnline explains that by calling meeting participants “daily users” makes Zoom usage seem larger than it is. The term most companies use to measure service usage is a daily active user (DAU). A DAU is counted once per day. 

Updated 04/08/2020 -Zoom now faces four lawsuits over its security and privacy practices. Today,  Google has banned employees from using Zoom, joining NASA, SpaceX, NYC schools, Clark County (Las Vegas) schools. the governments of Germany and Taiwan as well as Apple.

Updated 04/07/2020Reports of a new blow to Zoom’s security cred’s researchers have discovered up to 15,000 private Zoom recordings exposed online. Many of them were apparently stored in Amazon Web Services (AWS) S3 buckets without passwords.

What You Need to Know About Zoom

Zoom has taken off. Thanks to the global COVID-19 lock-down Zoom’s (ZM) stock has surged over 250% on the NASDAQ since October 2019. Zoom’s video conferencing platform daily usage has exploded from 10 million in December 2019 to more than 200 million in March 2020.

Zoom logo

After its stock price run-up and exploitation of the COVID-19 pandemic Zoom has come under intense scrutiny. The FBI issued a warning about using Zoom. The New York Attorney General’s office sent a letter to Zoom about its practices. Security professionals have found a disturbing list of flaws on Zoom. Here is a brief list of the risks you take when using Zoom.

Zoom Risks

Phishing – Security firm Check Point Software says criminals are waging phishing campaigns with Zoom-related themes as a lure. The phishing emails that Check Point has observed spoof Zoom login pages and attempt to get victims to input their credentials. The Zoom credentials are then harvested by the attackers. Also, Check Point has also uncovered malicious files with names that include “zoom” in the title. 

Encryption

Phony end-to-end encryption – Zoom uses misleading advertising to claim that its meetings use “end-to-end encryption,” according to The Intercept. Zoom uses the term end-to-end encryption” incorrectly. Zoom admitted their definitions of “end-to-end” and of “endpoint” are different from everyone else’s. A spokesperson told The Intercept, “When we use the phrase ‘End to End … it is in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint.

Unlike Apple, Zoom’s data is only encrypted when it travels back and forth from an end-user to a Zoom server. Your data is decrypted at the Zoom server. Zoom (or TLA) can see and hear whatever is going on in its meetings. Zoom Chief Product Officer Oded Gal wrote:

We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.

The Intercept concludes that Zoom doesn’t decrypt user transmissions — but it could.

What You Need to Know About Zoom

Zoom bombing – Zoom bombing occurs when a third party interrupts or takes over a video conference. Anyone can “bomb” a public Zoom meeting. All they need is the meeting number. Attackers can use the file-share to post shocking images or make annoying sounds in the audio. The host of the Zoom meeting can kick out troublemakers, but they can come right back with new user IDs The FBI issued a warning about zoom bombing.

To prevent Zoom bombing do not share Zoom meeting numbers with anyone but the intended participants. Also require participants to use a password to log into the meeting.

Windows password stealingBleeping Computer reports that malicious users can use the Zoom side chats to post a Universal Naming Convention (UNC) link that points to a remote server. From there the victim’s Windows computer will try to reach out to the hacker’s remote server specified in the path. From there the PC will automatically try to log in with the user’s Windows username and password. The attacker could capture the password “hash” and decrypt it, giving them access to the Zoom user’s Windows account.

Windows malware injectionWindows malware injection – The same flaw allows a hacker to insert a UNC path to a remote executable malicious file into a Zoom meeting. If a Zoom user running Windows clicks on it, the computer will try to load and run the malicious software. The victim will be prompted to authorize the software to run, which will stop some hacking attempts but not all.

Apple iOS profile sharing – Zoom sends iOS user profiles to Facebook. This is done with the “log in with Facebook” feature in the iPhone and iPad Zoom apps. After Motherboard exposed the practice, Zoom said it hadn’t been aware of the profile-sharing. Zoom’s initial response was to blame the social network’s software development kit used in the Zoom software. CNet concludes that Zoom shares enough personal data that it qualifies as selling your data

Mac malwareMalware-like behavior on Macs – Zoom was caught using hacker-like methods to bypass normal macOS security. It was thought this flaw had been fixed. But security researcher Felix Seele noticed that Zoom installed itself on his Mac without the usual user authorization.

The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.

A backdoor for Mac malware – Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf said in a blog post that Zoom used a discontinued installation process. The deprecated process could allow malware to add malicious code to “escalate privileges.” This would allow an attacker to gain total control over the machine without knowing the administrator’s password

Zoom privacy issues

CSO Online reports that he demonstrated the backdoor. He installed a malicious script into the Zoom Mac client. This could give any piece of malware access to the Mac’s webcam and microphone. It would turn any Mac with Zoom into a spying device.

Leaks of email addresses and profile photos – Zoom automatically puts everyone sharing the same email domain into a “company” folder where they can see each other’s information. If you are not a user of large webmail clients like Gmail, Yahoo, Hotmail, or Outlook.com, you could end up in a “company” with dozens of strangers.

Data leakSharing of personal data with advertisers – Privacy experts for Consumer Reports reviewed Zoom’s privacy policy and found that it gave Zoom the right to use Zoom users’ personal data and to share it with third-party marketers. In a blog, Aparna Bawa, Zoom’s chief legal officer, claimed “we do not sell your personal data.” The lawyer definitely concluded, “We are not changing any of our practices.” But we don’t know the details of Zoom’s business dealings with third-party advertisers.

Cloud snitching – For paid subscribers, Zoom’s cloud recording feature can be a problem waiting to happen.  Mashable points out that any time Zoom is used, your person-to-person chat messages are saved and could be sent to your boss by any authorized user. CNet notes that Zoom administrators can limit the recording’s accessibility by IP addresses – but this is not enabled by default.

Tattle-tale attention-tracking feature – Zoom’s attention-tracking feature allows the meeting host to monitor if you are paying attention to their PowerPoint deck. The Zoom desktop client or mobile app alerts the host if any attendees go more than 30 seconds without Zoom being in focus on their screen.

rb-

I agree with those who are calling Zoom’s development processes lazy  As you can see  – Zoom’s software development process creates a huge attack surface.

Tom’s Guide is tracking the status of Zoom’s problems.  So is  Zoom safe to use?  – That is your call. – You need to make an informed decision and patch your Zoom software.

Zoom CEO Eric Yuan

You should be suspicious of “free” products. As in the case of Google and Facebook, you are the product for Zoom. They are monetizing you. Follow the money.

Eric Yuan, the founder, and CEO of Zoom is profiting by using your info. His personal wealth has increased 112% to $7.57 billion in the past three months, as the use of Zoom skyrockets amid the pandemic. While the other 99%f the world braces for a global recession.

How does he get all of that money on free software?

 

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| March 19, 2020
Comments Off on COVID Cover for Power Grab to End Encryption

COVID Cover for Power Grab to End Encryption

COVID Cover for Power Grab to End EncryptionJust in time for Independence day. Republican Senator Lindsey Graham (SC) led the U.S. Senate to approve the EARN IT Act. The bill could end encryption and free speech as we know it, online. The EFF explains…

The bill will create a new government commission, dominated by law enforcement agencies, and give it unprecedented power over websites both large and small. Attorney General Bill Barr and the DOJ have demanded for years that messaging services give the government special access to users’ private messages. If EARN IT passes, Barr will finally get his wish—law enforcement agencies will be able to scan every message sent online. The EARN IT Act (S. 3398) is anti-speech, anti-security, and unnecessary.

The legislation is intentionally vague. The legislation gives this new commission unprecedented power. It can demand websites share nearly any information or do nearly anything it wants. It effectively makes encryption and protecting your privacy illegal.

Do something this Fourth of July!

1.  Sign the Action Network petition to tell Congress. “Don’t kill online encryption! Reject the dangerous EARN IT Act.

2.  Call 1 (813) 213-3989. You’ll be connected to your members of Congress so you can tell them. Vote NO on the EARN IT Act, and any attempt to spy on our digital communications.

COVID Cover for Power GrabIn the midst of America closing up shop in fear over the COVID-19 pandemic, the U.S. government is not shutting down. Why? Perhaps they figure that most of us are too preoccupied with toilet paper hoarding and missing March madness. They figure they can sneak in additional restrictions on our freedoms.

Government plan to destroy online free speech and securityCasey Newton at the Verge is tracking the Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT”) Act EARN IT Act (S. 3398). The EARN IT BILL was the subject of a Senate hearing on 03/12/2020. The EARN IT Act was introduced by the self-quarantined Trump supporter, Republican Sen. Lindsey Graham. The premise of the bill is that technology companies have to earn Section 230 protections. This changes decades of precedent. The bill says tech firms have to earn Section 230 protections by complying with the politicians. Rather than being granted immunity by default by the Communications Decency Act.

EARN IT Act designed to hobble encryption

Experts believe that the bill is the latest effort by the government to destroy online free speech and security. It is designed to hobble encryption in the guise of child protection. Today, it is disguised as “Lawful access” in the U.S. government’s latest push against end-to-end encryptionCNet defines end-to-end encryption as a security technology that encodes your sensitive data. Data like passwords and financial and health information stored on your devices. Encryption protects your data from being viewed by employees of the company providing the service, and governments looking to spy on citizens.

The bill calls for tech companies to create an opening in their own encryption. An opening that only law enforcement agencies could use for investigations. The Feds have a long history of attacking encryption online. CNet explains that In 2017, the Justice Department called it “responsible encryption.” The feds wanted tech firms to provide encryption for everyone. But only if they hand over a special key that governments could use to snoop on communications. The FBI calls it the “Going Dark” problem. They claim investigations can hit a dead end because of encryption. Prosecutors have asked for backdoors to encryption. The Justice Department has called it “warrant-proof encryption.” The DoJ argues that encryption hinders law enforcement from keeping track of criminals or gathering evidence.

Protections under the First Amendment

Mr. Newton points out that it’s not clear that companies have to “earn” what are already protections provided under the First Amendment to publish and to allow their users to publish, with very few legal restrictions. But if the EARN IT Act were passed, tech companies could be held liable if their users posted illegal content. This would represent a significant and potentially devastating amendment to Section 230, a much-misunderstood law that is considered a pillar of the internet and the $26 Trillion businesses that operate on top of it.

bureaucratic set of best practicesThe EARN IT Act would require tech firms to adhere to a bureaucratic set of “best practices.” The “best practices” would drawn up by a newly created national commission. They would have to be approved by the attorney general, homeland security, and the chairman of the FTC.

One of the “best practices” could be eliminating end-to-end encryption. That would deprive the world of a secure communications tool at a time when authoritarian governments are surging around the world. If the tech firms failed to eliminate end-to-end encryption, they could lose legal protection under Section 230.

Graham plan to weaken encryption

There is little doubt they plan to weaken encryption. Graham, says:

Facebook is talking about end-to-end encryption which means they go blind … We’re not going to go blind and let this abuse go forward in the name of any other freedom.

Berin Szoka, president of think tank TechFreedom said,

DOJ could effectively ban end-to-end encryption.

Encryption backdoor

The problem with lawful access, is that the backdoor or key created for governments would essentially create an opening for everyone. The Feds have already proven they can’t keep their secrets secretas EternalBlue Vault7 and Snowden have proved.Government backdoor would create an opening for everyone

Sophos Naked Security blog spoke to Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity from The Center for Internet and Society at Stanford Law School about EARN IT. Her analysis says the proposed bill containing no tools to actually stop online child abuse. The bill would actually make it much harder to prosecute pedophiles. She explained that as it now stands, online providers including Apple, Facebook and Google proactively, and voluntarily, scan for child abuse images.

protections against unreasonable search to get warrants before they search our digital contentThe keyword is “voluntarily,” Ms. Pfefferkorn says. Those platforms are all private companies, as opposed to government agencies, which are required by Fourth Amendment protections against unreasonable search to get warrants before they search our digital content.

The reason that private companies like Facebook can, and do, do exactly that is that they are not the government, they’re private actors, so the Fourth Amendment doesn’t apply to them.

Agents of the state

Turning the private companies that provide those communications into “agents of the state” would, ironically, result in courts’ suppression of evidence of the child sexual exploitation crimes targeted by the bill, she said.

That means the EARN IT Act would backfire for its core purpose, while violating the constitutional rights of online service providers and users alike.

rb-

Department of Defense has explained that it depends on encryptionThe U.S. Department of Defense has explained that it depends on encryption to protect its employees and sensitive data.

Senator Ron Wyden, a Democrat from Oregon criticized the bill for its potential effects on encryption.

This bill is a transparent and deeply cynical effort by a few well-connected corporations and the Trump administration to use child sexual abuse to their political advantage, the impact to free speech and the security and privacy of every single American be damned.

I am not a fan of Facebook, but they do provide millions of reports to the National Center for Missing & Exploited Children every year. Sadly the amount of action taken by the Feds isn’t quite the same. It is due to a lack of resources and funding from the federal government, according to a New York Times report.

A better way to address the issue would be to give law enforcement more resources. Sen. Wyden argues that the EARN IT Act is a distraction from the Justice Department’s lack of funding and resources to handle online child exploitation.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| June 9, 2019
Comments Off on Password Reset Practices “Obsolete”

Password Reset Practices “Obsolete”

Password Reset Practices "Obsolete" Followers of the Bach Seat know that passwords suck. And now Microsoft (MSFT) has joined me in that revelation. The boys in Redmond recently recommended that organizations no longer force employees to change their password every 60 days.

Microsoft logoIn a TechNet blog penned by Aaron Margosis, a principal consultant for Microsoft, the company called the practice – once a cornerstone of enterprise identity management – “ancient and obsolete” as it told IT, administrators, that other approaches are much more effective in keeping users safe.

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value

Windows-10-logoIn the latest security configuration baseline for Windows 10, which allows administrators to use Microsoft-recommended GPO baselines for improving the overall security posture of a system and reduce a Windows 10 machine’s attack surface, “May 2019 Update” (1903) – (available as a ZIP file for download here) Microsoft dropped the idea that passwords should be frequently changed. Previous baselines had advised enterprises to mandate a password change every 60 days. (And that was down from an earlier 90 days.)

Mr. Margosis acknowledged that policies to automatically expire passwords – and other group policies that set security standards – are often misguided. He wrote,

The small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management … Better practices, however, cannot be expressed by a set value in a group policy and coded into a template.

Multi-factor authenticationAmong those other, better practices, Mr. Margosis mentioned multi-factor authentication – also known as two-factor authentication – and banning weak, vulnerable, easily guessed, or frequently revealed passwords.

ComputerWorld points out that Microsoft is not the first to doubt the convention. The National Institute of Standards and Technology (NIST) made similar arguments as it downgraded regular password replacement. “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically),” NIST said in a FAQ that accompanied the June 2017 version of SP 800-63, “Digital Identity Guidelines,” using the term “memorized secrets” in place of “passwords.”

Then, the institute had explained why mandated password changes were a bad idea this way:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.

NIST logoBoth the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven’t been touched? “If a password is never stolen, there’s no need to expire it,” Microsoft’s Margosis said.

John Pescatore, the director of emerging security trends at the SANS Institute told ComputerWorld;

I agree 100% with Microsoft’s logic for enterprises, which are who uses [group policies] anyway … Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it.

hobgoblins of little mindsLike Microsoft and NIST, SAN’s Pescatore thought periodic password resets are the hobgoblins of little minds, “Having [this] as part of the baseline makes it easier for security teams to claim compliance because auditors are happy,” Pescatore told ComputerWorld. “Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. A great example of how compliance does not equal security.”

ComputerWorld notes other changes in the Windows 10 1903 draft baseline, Microsoft also dropped policies for the BitLocker drive encryption method and its cipher strength. The prior recommendation was to use the strongest available BitLocker encryption, but that, Microsoft said, was overkill: (“Our crypto experts tell us that there is no known danger of [128-bit encryption] being broken in the foreseeable future,” MSFT’s Margosis told ComputerWorld.) And it could easily degrade device performance.

Microsoft is also looking for feedback on a proposed change that would drop the forced disabling of Windows’ built-in Guest and Administrator accounts. Microsoft’s Margosis hedged a bit;

Removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled,”Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.

rb-

We have covered this before, forcing users to change passwords over short time-frames inevitably leads to users choosing the simplest, most memorable, and most crackable passwords possible. Things have changed over the years, including technology that now enables threat actors to crack simplistic passwords easily.

MSFT is now actively pushing MFA in the enterprise so it is not surprising they are going away from this general password policy.

MSFT changing its security baselines won’t change requirements made by regulatory authorities (PCI-DSS, HIPAA, SOX, NERC) and auditors. It takes years and years for them to change.

The change does not affect home users – but maybe it will make them think?

Slowly the world of passwords is starting to come under control.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
« Older Entries