Security and passwords: an anti-pattern found in current Windows

The two most important principles of security are to resist entry, and call for help so that the time bought by the resistance allows for a meaningful response. This is true of physical and computer security.

Shockingly, this proof of concept shows that the Windows LoginW API does neither: it allows even the guest account to attempt an unthrottled number of bad password attempts. As the notes say, even on a small machine, this is over 10,000 attempts per second, on one thread.

This means that any other security hole that allows code to execute on the machine does not require an account to attempt to run the entire dictionary of known or extrapolated passwords in seconds, and can brute force any password by systematically walking through all passwords if undisturbed.

This is an epic failure. Yes, if throttling is put in place, it needs to be done thoughtfully (to avoid a denial of service attack where a bad actor locks legitimate users out) but this is truly disgraceful. The guest account should progressively delay subsequent attempts to make this is feasible, and the guest account should time out with a suitable message that it is due to an attempted break-in.

In addition: where is the security alert?

In the bigger picture, this is why leadership has to teach the why of design, including security. And why we all have to keep alert, learning, and not be satisfied by “ok, now it’s done.”

documents findability management paperless passwords security

DO Encrypt, DON’T Panic

Or, What the ‘strong encryption’ requirement means to Psychologists (regarding Fact Sheet #16 issued by the Information Privacy Commissioner of Ontario).

Why I’m writing this: I have a number of friends and associates who are Certified Psychologists in Ontario, and have been asked, casually, what exactly this fact sheet means.

Bottom line:  If you are a Psychologist providing health information to a health network provider, or a user of health information in the sense of PHIPA and its regulations, you need to secure all portable healthcare data as below. If you are NOT, you DO NOT have to.  If you do, or if you aren’t sure, please keep reading…