On Fri, 23 Mar 2007 13:56:15 -0700, Paasie
Passwords don´t suck, as long as the system isn´t starting a life on it´s
own. And as we all know, Windows somethings does things on it´s own without
even the people of MS itself always knows when or how...
Heh... passwords (or more specifically, user-remembered passwords) do
inherently suc.. er, have limitations, and most password
implimentations (especially "optional" passwords aren't too hot.
Yep, one of the problems is where passwords are pre-set before you get
the system, and are poorly documented (often for large values of
"poorly"). For example, the NGO that gets a donation of 20 PCs that
are all BIOS-passworded on boot, and no-one knows the password.
A variation is the typical "optional password" logic that goes:
- if password is blank, then acts as "no password"
- to change the password, first enter existing password
See the problem? The only "options" here are to have a password
that's too strong for interlopers to guess, or suffer the risk of DoS
by any interloper who "changes the password".
Now combine that with a mentality that subtitutes security for safety.
IOW, instead of excluding dangerous facilities that a particular
installation may not want to use at all, they are "secured" by an
"optional" password.
Here's a good example of that; hidden admin shares in XP Pro.
If the account password is blank, these are not exposed to networks.
But any non-blank password will expose these to any network where F&PS
is bound and where firewall permits F&PS to pass through.
Tasks don't run unless account password is not blank (or, in XP SP1
and later, you set the Task to run only when logged in).
So folks are obliged to have a non-blank password if they want Tasks
to run in XP Pro Gold. What to do? Choose a trivial password, hide
it via Autologon, disable the Welcome Screen on screensaver etc., and
thus carry on as if you still had no password (which is what you
really wanted in the first place).
And you have an ADSL router that does both the gateway to the Internet
and your LAN switching, so F&PS is enabled and permitted through the
firewall. If you used ISP sware to dumb the router down to Bridge pass
through, you're waving those admin shares at the world.
Admin shares may be hidden, but to software, the names are well-known
and they work just fine. Your account password may be too difficult
for you to remember, yeat easy enough for an automated attack to crack
in a second or few. See the problem?
The basic password problem is, you're pitting humans against machines
on a battlefield far best suited to the machines.
-------------------- ----- ---- --- -- - - - -
Trsut me, I won't make a mistake!