Gates: End to passwords in sight

SAN JOSE, Calif.--For years, Microsoft Chairman Bill Gates has had his sights set on the password as the weak link in the computer security chain.

Now, with Windows Vista, Gates feels he finally has the right weapons to supplant the password as a means of verifying who is who on computers and over the Internet.

The new operating system, due later this year, introduces a concept called InfoCards that gives users a better way to manage the plethora of Internet login names and passwords, as well as lets third parties help in the verification process. Vista will also make it easier to log on to PCs using something stronger than a password alone, such as a smart card.

"We're laying the foundation for what we need," Gates said in a speech at the RSA Conference 2006 here.

Even with the advancements, Gates said he wasn't naive enough to think the password would go away overnight.

"I don't pretend that we are going to move away from passwords overnight, but over three or four years, for corporate systems, this change can and should happen," he said.

Replacing passwords is part of Microsoft's endeavor to simplify security, which Gates said is dearly needed. "We have an overly complex system today," he said. Vista and Microsoft's upcoming security products, such as Windows OneCare Live and Microsoft Client Protection, will make life easier for consumers, he said.

Microsoft has described InfoCard as a technology that gives users a single place to manage various authentication and payment information, in the same way a wallet holds multiple credit cards.

InfoCard is Microsoft's second try at an authentication technology after its largely failed Passport single sign-on service, unveiled in 1999.

InfoCard attempts to address the complaint many critics had with Passport, which was that people's information was managed by Microsoft instead of by the users themselves and the businesses with which they dealt.

Although Microsoft has talked about InfoCard, and early versions of the InfoCard code were released to developers last year, Gates' speech marked one of the first times Microsoft has demonstrated publicly just how it might work.

In a presentation, Microsoft showed how a consumer could use a self-generated InfoCard to log in to a car rental site and then use a separate InfoCard from a membership group to get a discount on the rental.

Internet Explorer 7 will support InfoCard, Gates announced. The technology will also be available for Windows XP, Microsoft said. InfoCard is one of several technologies Microsoft is developing for Vista, but the company is also making it available for XP.

Microsoft acknowledged that replacing passwords is something that needs to be done at the system level, but Gates said the company is also working on technologies to enable various identity systems used on the Internet to work together, something it calls the Identity Metasystem.

Video: The end of passwords?
Bill Gates urges the death of all passwords and offers alternatives from Microsoft.

In order to provide people with better identity verification as they do business online, Microsoft is asking for a stronger type of digital certificate, a so-called high-assurance certificate.

Digital certificates are already widely used today in Web browsers to show that traffic on a Web site is encrypted and that a third party has identified the site and has vouched for its validity. But in recent years, standards of verification have slipped, undermining the sense of security implied by the padlock. That's why Microsoft and others have called for a new type of certificate.

Microsoft on Tuesday announced the first beta of Microsoft Certificate Lifecycle Manager, a tool meant to streamline provisioning, configuration and management of digital certificates and smart cards, the company said.

All eyes on anti-spyware
Gates also touted several of the other security capabilities that will be part of Windows Vista. In a demonstration, Microsoft showed its anti-spyware technology, as well as a new mode that runs Internet Explorer in its own "sandbox" so Internet code can't cross over into the rest of a PC.

As expected, the company on Tuesday released a second beta version of Windows AntiSpyware, now called Windows Defender. The first test version of the spyware-fighting tool has been popular, with more than 25 million downloads from Microsoft's Web site.

Windows AntiSpyware has been available in a beta version since January of last year. The program is designed to protect PCs against spyware, which is software installed on a system that's designed to watch the computer user's activity without his or her knowledge.

Windows Defender already exists by that name in the latest preview release of Vista. Microsoft plans to ship Windows Defender as part of the operating system, it has said. At last year's RSA Conference, Gates announced that Microsoft would deliver anti-spyware at no cost.

IE 7 also was announced at last year's RSA event. It includes many security and privacy protection capabilities, such as mechanisms designed to combat phishing attacks, spyware and other threats. Cyberattackers have exploited security flaws and weaknesses in the current version of Microsoft's Web browser in many attacks. A public preview of IE 7 was released in late January.

[n3td3v]

Honey, I killed the script kids

See: <a class="jive-link-external" href="http://news.com.com/5208-12-0.html?forumID=1&#38;threadID=13978&#38;messageID=114207&#38;start=-1&#38;reply=true" target="_newWindow">http://news.com.com/5208-12-0.html?forumID=1&#38;threadID=13978&#38;messageID=114207&#38;start=-1&#38;reply=true</a>

[Macsaresafer]

Yada, yada, yada...

InfoCards? Don't you mean Keychain, Mr Gates? Why are you always
producing bad copies of other people's work?

I'll give him this though, the man has serious stones. Who else has
the nerve to make a defective product and then sell partial
solutions to the problems they've caused a la Windows Defender?

[rcrusoe]

Makes sense to me

It's never been very hard to get into a Windows computer without the password. Might as well get rid of them. :)

[n3td3v]

Right on!

Can't think of a better thing to say... since the RSA is the laughing stock of the industry right now if anything thats been published on Cnet is anything to go by.

[Retnuh1337]

Just another way

This is just another way that Gates can keep a grip on all of us and his company be the means.

[mgreere]

What?

If security is actually the issue, why not simply promote retinal,
fingerpriint, or skin pattern scans?

A card would unnecessarily duplicate information that service
providers already store... and put it in a nice, stealable format.

Exactly what does an infocard give the consumer?

[zaide]

Gates sees end tp passwords in sight

Another way of getting our security information.

[aabcdefghij987654321]

Microsoft's plan to eliminate passwords revealed!

When you use Microsoft products, trust personal data stored using Microsoft technologies, or even do business with a company that does; Why put a password on anything at all? It has been proven time and again for 10 years now, Microsoft products used on a network pale in comparison to other competitive products regarding security. Microsoft's secret to managing passwords is to drop the support for passwords entirely, why bother when that Microsoft product will be hacked in to eventually anyhow? Question the businesses you deal with, and let the ones you avoid know why in that you don't trust so much as your first name to be stored on a MS system. I changed banks because one was migrating to an insecure Microsoft based system. "We're a small bank...can't afford to build one from scratch...outsourced...they use IIS..." (IIS is MS's Insecure Information Server, FYI)

[jeromatron]

Mac OS X keychain, biometrics, etc.

So how is this any different than an OS wide password manager,
like the Keychain in Mac OS X?
There are comparable tools and utilities on linux.
I'm all for getting rid of password management and I love
Keychain.
I can see that it would be cool to have something more like
biometrics or a security card, which have been implemented in
various forms for at least 5-10 years anyway on PCs. When I
worked at Novell in 2001, there were ways to get into the
eDirectory using biometrics fairly simply, and thus into Windows
2000, via the Netware client.
I hope this gets traction, but to give the impression that
Microsoft is inventing it, well, that's just Microsoft. They
wouldn't know innovation if it came up and bit them in the face.

[R. U. Sirius]

Biometrics are not foolproof

&gt;I can see that it would be cool to have
&gt;something more like biometrics or a security
&gt;card, which have been implemented in various
&gt;forms for at least 5-10 years anyway on PCs.

In large wide scale deployments, biometrics are probably an extremely bad idea. Biometrics can be compromised. Example, if someone were to steal your fingerprints, you're forever compromised since you only have one set.

Biometrics are better designed for specialized situations in closed environments as opposed to the open environment of the Internet.

As for security cards, I personally would never use one that was issued by Microsoft. I might use one that was issued by my bank, and then only for bank related activities.

[Terry Gay]

Include This Smart Card for Hotmail-Please!

My Hotmail account is hacked every day. I hope Gates will include these smart cards for Hotmail logins. Users should declare which type of security entry they want to use: smart cards or passwords. After someone declares for a smart card, when their name comes up for a login in Hotmail or any other Passport login, the password window should be gone. I'm tired of hackers in the Netherlands, Denmark, Germany and Russia trying to steal my identity. Please hurry up and make this a reality for Hotmail Bill. I'm glad someone at Microsoft is finally addressing this pandemic problem.

[jasmr]

How do you mean hacked?

Sorry I replied to the whole story not this post. I am really curious to know what you mean by having your Hotmail account being hacked.

[arcadefx]

Windows Defender

Ok, I downloaded it, ran it and it said my system was clean.

I ran "SpyBot Search &#38; Destroy" and "Lavasoft Ad-aware" on the same box. They both found stuff, 10-14 things.

What is Windows Defender defending?

[Macsaresafer]

It is defending

Microsoft's income stream. Nothing else.

[jharder]

Inspired by...

Bill must have found Keychain while he was tearing OS X apart to
find more "inspriation" for Vista's "innovation".

[Bob Brinkman]

I never realized

That Apple invinted the smartcard. I mean, I knew the wheel, thermodynamics and the automobile was all Steve Job's doing.

[209979377489953107664053243186]

There are already non-password solutions out there

Gates is right, but he's not the first to say that passwords and key enchanges are onerous and problematic. Essential Taceo offers encryption and DRM authoring controls without the need for password exchange, but instead works similar to Acrobat - you just need to download and register for Taceo, which is free, to view protected email and attachments.

<a class="jive-link-external" href="http://www.essentialsecurity.com/features.htm" target="_newWindow">http://www.essentialsecurity.com/features.htm</a>

[Paco_Bell]

Acrobat? That's your golden standard?

We've all seen how successful Adobe was with trying to protect PDFs...not very. I can pick up a PDF password cracker in my cereal box these days ¬_¬

[jasmr]

How do you mean hacked?

I am really curious to know what you mean by your Hotmail account being hacked?

[sroyeton]

End to passwords?

Although this is something to enjoy, if Micro$oft is developing it, it will be difficult to use, full of holes (security) and need to be updated every few months.

[GTOfan]

two-faced?

I bought a Microsoft fingerprint keyboard, so I could get rid of my passwords list, or at least not have to type them in everytime I start a program or visit a website.

Guess what? I find after the purchase that Microsoft warns not to use the fingerprint reader for anything important because the file where the collection of web-passwords is kept is apparently unencrypted or minimally encrypted on the hard drive. Now really, how hard would it be to secure the file with a bazillion-bit encryption built into the reader-driver?

Is this M$'s idea of security? Looks good on the surface, but is easily circumvented if someone gains access to your computer?

[ahickey]

Anti-Spyware Comment

Having MS provide the default anti-spyware app effectively gives them control of what goes on and what is kept off your system.
Now that's control.

With the InfoCard system I expect (much like Passport) they will also have some control over what you are doing.

So, they control what goes on or stays off your system and also knows where you are accessing.

It's nice to see the status-quo has been maintained.

[Earl Benser]

Ol' Bill could be right....

... but the InfoCard certainly isn't the answer. At least, nothing MS
has said so far gives the concept any credibility as a password
replacement. After Passport, and now InfoCard, I think that I'll stay
with passwords.

[wbenton]

Good one Billy... (* ROFLOL *)

So how does one go about using that InfoCard? Just slot it in the PC and away you go? (* ROFLOL *)

There would have to be some kind of password protection to the card itself or else anybody could just slot it in and away they go.

Sorry Billy... but this wet dream about doing away with passwords has already curdled.

Walt

[DeusExMachina]

For heaven's sake, read this before you post

In a probably poinless attempt to prevent further unecessary, misinformed postings, please note:
INFO CARD IS NOT AN ACTUAL CARD. There is no mag stripe, no smart chip, no plastic, no card reader. It is a SOFTWARE authentication system that saves a user from having to transmit personal or financial information.
InfoCard is only a NAME. Seriously, does anyone even bother to read anymore?