Password1, Password2, Password3 no more: Microsoft drops password expiration rec

For years, Microsoft’s baseline security policy has expired passwords after 60 days.

Password1, Password2, Password3 no more: Microsoft drops password expiration rec

For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.

The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don't like picking or remembering new passwords. Instead, they'll do something like pick a simple password and then increment a number on the end of the password, making it easy to "generate" a new password whenever they're forced to.

In the early days of computing, this might have been a sensible trade-off, because cracking passwords was relatively slow. But these days, with rainbow tables, GPU acceleration, and the massive computational power of the cloud, that's no longer the case—short passwords are a liability, so any policy that makes people favor short passwords is a bad policy. It's better instead to choose a long password and, ideally, multifactor authentication, supplementing the password with a time-based code or something similar.

Read 3 remaining paragraphs | Comments

Latest Windows patch having problems with a growing number of anti-virus software

A range of fixes and workarounds have been published.

This is a colorized transmission electron micrograph (TEM) of an Ebola virus virion. (Cynthia Goldsmith)

Enlarge / This is a colorized transmission electron micrograph (TEM) of an Ebola virus virion. (Cynthia Goldsmith) (credit: CDC)

The most recent Windows patch, released April 9, seems to have done something (still to be determined) that's causing problems with anti-malware software. Over the last few days, Microsoft has been adding more and more anti-virus scanners to its list of known issues. At the time of writing, client-side anti-virus software from Sophos, Avira, ArcaBit, Avast, and most recently McAfee are all showing problems with the patch.

Affected machines seem to be fine until an attempt is made to log in, at which point the system grinds to a halt. It's not immediately clear if systems are freezing altogether, or just going extraordinarily slowly. Some users have reported that they can log in, but the process takes ten or more hours. Logging in to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 are all affected.

Booting into safe mode is unaffected, and the current advice is to use this to disable the anti-virus applications and allow the machines to boot normally. Sophos additionally reports that adding the anti-virus software's own directory to the list of excluded locations also serves as a fix, which is a little strange.

Read 3 remaining paragraphs | Comments

Hackers could read non-corporate Outlook.com, Hotmail for six months

Hackers and Microsoft seem to disagree on key details of the hack.

Hackers could read non-corporate Outlook.com, Hotmail for six months

Enlarge (credit: Getty / Aurich Lawson)

Late on Friday, some users of Outlook.com/Hotmail/MSN Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts, and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1st and March 28th of this year. Microsoft confirmed this to TechCrunch on Saturday.

The hackers, however, dispute this characterization. They told Motherboard that they can indeed access email contents and have shown that publication screenshots to prove their point. They also claim that the hack lasted at least six months, doubling the period of vulnerability that Microsoft has claimed. After this pushback, Microsoft responded that around 6 percent of customers had suffered unauthorized access to their emails, and that these customers received different breach notifications to make this clear. However, the company is still sticking to its claim that the hack only lasted three months.

Not in dispute is the broad character of the attack. Both hackers and Microsoft's breach notifications say that access to customer accounts came through compromise of a support agent's credentials. With these credentials the hackers could use Microsoft's internal customer support portal, which offers support agents some level of access to Outlook.com accounts. The hackers speculated to Motherboard that the compromised account belonged to a highly privileged user, and that this may have been what granted them the ability to read mail bodies. The compromised account has subsequently been locked to prevent any further abuse.

Read 2 remaining paragraphs | Comments

How Microsoft found a Huawei driver that opened systems to attack

Monitoring systems were looking for attacks using technique popularized by the NSA.

How Microsoft found a Huawei driver that opened systems to attack

Enlarge (credit: Valentina Palladino)

Huawei MateBook systems that are running the company's PCManager software included a driver that would let unprivileged users create processes with superuser privileges. The insecure driver was discovered by Microsoft using some of the new monitoring features added to Windows version 1809 that are monitored by the company's Microsoft Defender Advanced Threat Protection (ATP) service.

First things first: Huawei fixed the driver and published the safe version in early January, so if you're using a Huawei system and have either updated everything or removed the built-in applications entirely, you should be good to go.

The interesting part of the story is how Microsoft found the bad driver in the first place.

Read 10 remaining paragraphs | Comments