Passwords Pose Windows Security Threat, Foundation Says

Asterisks bug Alex Konanykhin. Dots irritate him, too.

That's because he believes they're used by software makers to lull computer users into a false sense of security when they enter passwords into their computer.

Because users can't see the passwords hidden behind the asterisks, "most users believe they are secure," the CEO of the Internet marketing company KMGI.com told TechNewsWorld.

Users Seduced

He explained that dots and asterisks seduce users into opting for the "save password" feature in Windows because it saves time. What users are often ignorant of, he continued, is that anyone that uses that computer or accesses it from the Internet can harvest those passwords.

The problem riled Konanykhin so much that he set up an organization, the Internet Security Foundation, to educate the public about it.

According to the results of a straw poll of 240 Internet users released by the foundation, 86 percent of the respondents believed that passwords hidden behind asterisks were securely protected.

Snubbed by Microsoft

Konanykhin, through his foundation, has solicited Microsoft (Nasdaq: MSFT) to alert users about security issues surrounding passwords. "We wrote to Microsoft," he said, "but Microsoft ignored all our letters."

"The responsible thing for Microsoft to do would be to issue a security patch which would make passwords secure and preclude unauthorized access to users' online accounts," he argued.

"At the very least," he said, "Microsoft should have issued a security patch which would warn Windows users that such hidden passwords are not secure. Instead, Microsoft chose to ignore the issue despite our repeated warnings."

Shoulder Surfing

According to a Microsoft spokesperson who asked to remain anonymous, "The asterisk mechanism for visually hiding password characters, used throughout the industry, is designed to prevent 'shoulder surfing' attacks, not to permanently encrypt and obfuscate passwords.

"The ability of a user to run a tool on an unsecured machine to see a password they just typed is not a security threat," the spokesperson told TechNewsWorld via e-mail. "Claims from third parties that such tools constitute a security threat are overstated and irresponsible in that they may raise undue fear amongst customers."

Although security experts concede there may be some confusion among users about passwords hidden behind asterisks or dots, they discount the practice as a serious security threat.

Low Security Threat

"What it comes down to is a general understanding of how machines can be compromised and how passwords and identities are stolen," Craig Schmugar, virus research manager at McAfee Security in Santa Clara, California, said. "For the most part, there's really not a good understanding of that from the general public."

"In the grand scheme of things, this is on the bottom of the list of bad things that can happen," he said of the asterisk issue.

Chris Novak, a senior security consultant with Ubizen, a New York City-based provider of managed security solutions for businesses, said that the asterisk issue has been known for years.

Not Seeing Is Believing

"Many applications, not only those by Microsoft, have been plagued by this vulnerability -- if you even want to call it a vulnerability," he said.

"For most people, not seeing is believing," he asserted. "They assume that if they can't see their password, then nobody else can see their password, so they have a false sense of security that all their passwords are safe."

If some miscreant wants to filch passwords from a computer, though, they're more likely to use a means other than poking behind asterisks, he averred.

"From what our investigators are seeing in the field, more than 60 percent of password theft issues are still the result of key loggers and line sniffers," he said.

"That's down from previous years, mostly due to phishing," he added. "Phishing has grown and taken away from the key loggers and line sniffers."

Nix Passwords

For some security pros, the asterisk issue is just a fragment of a larger problem. "Passwords are simply becoming inadequate for most business applications today as they are too easily stolen and reverse-engineered, and they are also becoming very expensive for companies to manage," Vadim Lander, chief identity architect in the Waltham, Massachusetts offices of Computer Associates told TechNewsWorld via e-mail .

"My belief is that companies need to be looking at moving towards using stronger authentication, such as tokens or biometrics, in place of or in conjunction with passwords," he explained. "Those companies who are concerned about assuring the security of their applications are looking at vendors to help get biometric technology adopted as part of the desktop OS solution."