I think that biggest problem people have is that this user/pw combo is going to be used for more, bigger, and more important things, and Microsoft has what is generally recognized as less than adequate security. (Can anyone that big really have adequate security and still satisfy the general public?)
As I recall there have been a few largescale exploits on Hotmail, which uses the Passport for authentication. Also, as I recall (I'm not looking for supporting evidence right now, I'm too tired), at least one of these exploits comprimised the user/pw of the target account.
So, yeah, from my understanding it's a glorified user/pw system that MS is using to link all of their current services, and will update to keep up with .NET, but by the same token, MS is holding all of the info. And even if they had a better security track record (I'm not a MS basher, but...), their database is going to be one of the biggest targets ever, and they can harden it all they want, but one slip up and one of the millions of attacks gets in, and it's all done.
It would be totally possible for MS to patch up after that, they could even tell people about the breach. But how many people would actually change their data? How much damage could be done before those who would change it did so? By making one unique knowledge token the key to several systems they make things very easy and convenient, and much more devastating if successfully attacked.
This is the reason my boxes have different passwords, why even simple crud doesn't usually have the same password. For stuff I don't really care too much about, or can't take the time to make up a different pw for, there are rings of protection, with the least consequential stuff (i.e. Hotmail account used for spam sign-ups) having the same password. If you go above that in importance, the line noise passwords start. This way no one important system being comprimised leads to the comprimise of any other system. It limits the damage of a successful attack.
Holy shit. I've turned a mini-rant about MS Passport into a fucking speech on common sense. I would like to apologize to anyone who took the time to read all that hoping to gain anything at all from it.
-
Microsoft passports
This article was interesting w/ regard to European data protection standards.. not quite what I expected:
http://www.theregister.co.uk/content/4/25433.html
More importantly, Passport seems to (from my ignorance) be a decent component of the .net structure forthcoming. It doesn't seem much more complicated than a username/password scheme. What am I missing? What are some good resources for checking up on Passports?
Leave a comment: