I didn't realize just how much I blamed Microsoft for the current state of passwords until I sat down to write about their "passwordless future":

@kyle I mean - when a near-monopoly behaves irresponsibly the consequences are non-trivial. Good read and a fair position to take.

@kyle If I'm synopsizing this correctly: Microsoft bad because Microsoft encoded password-rotation recommendations into default AD policy.

That's ... a stretch.

And I'm no fan of Microsoft.

1) Password rotation recommendations go back a long way, and were considered best practices for decades. I remember them from the 1990s, and well before AD was a A Thing. AFAIU a some point they were recommended through entities such as NIST.


#passwords #security #policy


2) Enshrining recommendations in code is what we want, usually, as it is the best way to achieve conformance. Enshrining bad or outdated recommendations in code ... is where problems start.

The AD situation seems the latter.

The larger problem seems to be that AD has acheived longevity, and there's no good way to propagate new policy recommendations to existing systems.

#policy #security #passwords


@kyle NB: I checkecd my old copy of PUIS (Garfinkel & Spafford), 2nd edition, published in 1996. That says a fair bit on passwords, and discusses forced changes (a systems administrator option), though not timed expiry. It does discuss a whole bunch of distressingly familiar issues on the use of passwords which were already well-known problems ... twenty-five years ago.

Evi Nemeth (RIP) in the UNIX System Administration Handbook 2nd ed, (1995) has a discussion of password aging (automated timed-out passwords) on pages 95 & 544. She's not a fan, but the capabilitiy exists and is noted on Solaris, Irix, and BSDI. She does recommend rotating the root password regularly.

But again: Microsoft isn't the source of the problem here.

(As of 1995, Microsoft systems were all single-user and had ... precisely NO passwords....)

#passwords #security #policy


@dredmorbius Summary is:

1. MS (and AD) strongly contributed to and enabled a culture of bad passwords. While they didn't invent bad password policy, their defaults and recs became gospel to many IT admin and AD enabled bad policy to scale, training a generation of computer users to make bad passwords.

2. "Passwordless future" enables vendor control of hardware, as auth is strongly tied to hardware security, which is anchored in trusted (signed by MS) software.

@kyle Point 1 is taken though that's still more a concern of enshrining bad and especially outdated policy.

Good policy is good. Bad policy is bad. Good policy administration is keeping tabs on when good policy becomes bad and fixing it.

I agree on your points re: passwordless future and lockin where that's based on devices. Keep in mind that Apple, Google, and Amazon are all racing down this path as well ("swipe" payments with smartphones, Siri, and Alexa, etc.)

That's an issue with lock-in. See Shapiro and Varian's late 1990s book, Information Rules.

(Note that Varian is now chief economist tat Google. Go figure.)

@kyle Better than passwords and the mess FGAM are pushing for would have been PKI.

@kyle @lightweight And all they needed to do to be doing it nicely was offloading local account verification to the password manager of your choice. (okay they'll default and pressure you to use your MS account, but as long as their was a real option for others I'd be okay with it)

But no, they are continuing to ignore antitrust laws because those laws are toothless.

@LovesTha @kyle every deposition in the Microsoft anti-trust case was written in MS Word. Conflict of interests? Wouldn't even recognise one if it jammed their printers.

@LovesTha @kyle actually, yes, Conflict of Interest - they have/had an unmitigated dependence on the products of the party being prosecuted, meaning they had an interest in ensure that party's activities wouldn't be curtailed by any verdict.

@lightweight @kyle I think that is pretty tenuous for what "interest" usually means.

I do think that them all using MS Word shows they all fundamentally accept and probably like the status quo and are weary of disturbing it.

@LovesTha @kyle I'd say that's a very good example of a vested interest.

@LovesTha @kyle to be fair, I think most organisations that should be keenly aware of vested and pecuinary interests are blithely unaware, to the point of corruption in many cases. (note 'vested' interest, i.e. having a personal stake in one or another outcome when expected to be neutral, and 'pecuniary', having a *financial* stake, are slightly different).

@lightweight @kyle Does 'conflict of interest' usually refer to vested, pecuniary, or both?

I think of it in the pecuniary way mostly. But I'm probably wrong.

Apparently accepting 6/7 figure sums to fight your legal battles is only unbecoming for a minister, but is fine for a back bencher in #auspol.

@LovesTha @kyle I think Conflict of Interest includes both vested and pecuniary. I think the latter is a special case of the former, where the interest is financial.

@LovesTha @kyle I see, too, that there's a whole area of "non-pecuniary interests", which are vested interests that are not pecuniary in nature :) - see the 2nd def here:

@lightweight @kyle On the topic at hand, as MS Office is so common precluding people who use it from passing judgement on MS would be more distorting than not.

But they should be aware of it and discuss it in their rulings.

@LovesTha @kyle given that, at the time, there were widely used alternatives (e.g. Word Perfect, which held on in legal circles longer than in any other business context) it seems like they should've avoided using the product against whose supplier they were adjudicating. Sadly, they weren't that ethical. And the US gov't (GWBush, the capitalist ideologue) apparently decided not to penalise Microsoft despite them, against all odds, being found guilty of criminal monopoly.

@lightweight @kyle Exclusively using a compeditor would be prejudiced against them. It's hard to be neutral.

@LovesTha @kyle I disagree. It would make them impartial in principle.

@lightweight @kyle Isn't the argument that a user of their competitor has a vested interest in hobbling of the competition?

@LovesTha @kyle I shouldn't think so. The fact that even the prosecution used MS Office is, if nothing else, pretty ironclad evidence of a total monopoly...

@LovesTha @kyle it's a pretty special case in law. It's not often that the fundamental tools of the court are the subject of a anti-competition case.

@lightweight @kyle It's probably going so far into monopoly that it could be evidence that attempting to break up the monopoly would hurt users (which it would, in the short term, which is why no politician wants to be the face of it)

@LovesTha @kyle yup. As I've explained, our gov'ts have paid through the nose to be monopolised (and even held hostage) by Microsoft for a couple decades, which is pretty unforgivable, really, because I, as a lay person rather than someone whose professional role it was to be aware of these things, recognised it 20+ years ago. Here's more:

@LovesTha @kyle ultimately, for politicians to be complicit - and I note the dominance and depths of gov't dependence on Microsoft is unprecedented in human history - is effectively corruption. They're knowingly digging the hole deeper with each procurement round. It's unforgivable incompetence, actively working against the interests of the taxpayer/citizen, and residents, not to mention communities.

@lightweight @kyle MS shouldn't be barred from being part of future procurement, but those offerings should have to detail how they are reducing/eliminating vendor lock-in.

Show more

@kyle let's not forget, we can also thank Microsoft foisting HTML in email upon us all. Now *that* was a bad idea.

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml