Starting Friday, August 1, you’ll no longer be able to save or manage passwords, use two-factor authentication, or rely on auto-fill features with Microsoft Authenticator as it drops support for its password manager role.
Earlier this summer, Microsoft revealed that they are moving away from using passwords for account authentication and will be using passkeys.
This change is aimed at improving security, since passwords are a security nightmare. A recent survey found that 49% of adults in the US practice poor password habits like reusing passwords or picking easy-to-guess passwords. This leaves users vulnerable to cyberattack, data breaches, ransomware, and more.
But even when using a strong password phishing attacks and social engineering can be used to get you to give up your password to the wrong person. For example, you can be mislead into visiting a website that looks exactly like your bank, and when you try to sign in the bad guys will get your credentials.
Yikes.
Passkeys are not vulnerable to these attacks. In fact, you won't know your passkeys so you can't give them out. And the nefarious server can't perform the negotiation necessary to use your passkey.
The transition to passkeys is happening soon, so it’s a good time to understand how Microsoft will handle this shift and to consider a replacement password manager if necessary.
So, what are passkeys? Passkeys are credentials developed by the Fast Identity Online (FIDO) Alliance, whose underlying technology has been around for decades. They let you use biometrics (like your fingerprint or face) or a device PIN to verify who you are. Think of logging in with Face ID or a fingerprint instead of typing a password. This approach offers stronger protection against guessing and phishing.
Why? Weak passwords are vulnerable to being guessed, but passkeys require both a public and a private (device) key to authenticate. This prevents phishing/social engineering, brute-force, and credential-stuffing attacks.
What if I use a strong password? That's helpful, but password hashes are typically stored on a server so that the password can be verified during login. If the database is breached this provides a way to reverse engineer your password. Unlike passwords, passkeys don't require hashes to be stored on servers. In fact nothing about your passkey is stored on a server. They exist only on your device. And using modern encryption technology, they eliminate the need to remember complex passwords or use a separate password manager.
According to the May 1 Microsoft blog post, Microsoft will soon guide users to set up passkeys as the main way to sign in to their accounts. If you already have a password and a one-time code set up, you’ll only be prompted to use your code to sign in. After logging in, you’ll then be asked to create a passkey. Going forward, signing in will require that passkey.
To add a passkey, open the Microsoft Authenticator app on your mobile device. Choose your account, then select “Set up a passkey.” You’ll first verify your identity, then you’ll be able to create a passkey.
Since Microsoft Authenticator is dropping password support, you’ll want to select a different password manager for websites that use passwords.
Apps like Bitwarden and 1Password are ideal as they provide free and/or affordable plans, and also work with passkeys. A new feature of the passkeys specification provides passkey portability; the ability to transfer passkeys between devices and apps. If you use a manager like Bitwarden or 1Password you essentially already have access to your passkeys across all your devices without that new passkeys feature. But in the future you should be able to export your passkeys from Chrome on Windows, for example, and import them into Safari on a Mac.
There's usually more to the story so if you have questions or comments about this post let us know!
Do you need a new software development partner for an upcoming project? We would love to work with you! From websites and mobile apps to cloud services and custom software, we can help!
Ever since third party browser cookies began to be used to track people across the Internet, and privacy concerns were voiced en masse, web browsers have been providing privacy protection features. Many people take their online privacy for granted, or just don't think about it. But for those of us who value privacy, these tools have been essential.
Some of these web browser features include hiding your network IP address, disallowing third party cookies, masking the browser information sent to servers, third party ad and social media widget blocker plugins (e.g. uBlock Origin), browser fingerprinting protection, and more.
A side benefit of these tools and features is that they can dramatically speed up web browsing, since they block a fair amount of code that is typically only used for advertising purposes. And blocking that code can make you safer online. All that advertising code has a tendency to make you more vulnerable to nefarious exploits.
Not so fast. Enter the Electronic Frontier Foundation (EFF). According to the nonprofit, we're not even close to giving people proper control over their online privacy and tracking prevention.
The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. EFF's mission is to ensure that technology supports freedom, justice, and innovation for all people of the world.
To prove their point, and to provide a valuable service to users, they created the Cover Your Tracks website (https://coveryourtracks.eff.org/).
With a button click you can run a test on your web browser to determine how well it is blocking trackers and whether it can be fingerprinted, and how badly.
Browser fingerprinting is a technique websites use to identify and track users by collecting unique characteristics of their web browser and device (like screen size). This allows websites to identify users even without relying on traditional tracking methods like cookies.
You will be amazed at how much information can be gathered about your web browser and device using incredibly creative tricks. The goal is for the tracking company to gather "bits" of information about you. The more bits, the more unique you become. For example, your display size represents a few bits of uniquely identifiable information. Your display color depth are a few more. The way your browser renders graphics pixels provides bits of information about your graphics hardware. Even the list of fonts available on your computer provide bits of information for your fingerprint. And that's just the beginning.
All of these bits of information combined increase your uniqueness among everyone else they track. You could end up being unique in 1 in 100,000 people, or worse, 1 in 100. Either way you're in a cohort that can easily be tracked and marketed to across the Internet.
One interesting thing I discovered was that by enabling Advanced Tracking and Fingerprinting Protection in Safari, advertisers were able to create a more unique fingerprint because fewer people use that feature, which, ironically, is a valuable "bit" of information for my browser fingerprint!
So, even if you're not a privacy buff or concerned with tracking, it's really interesting to use the EFF Cover Your Tracks tool to see how these companies track you, and how private your browsing truly is.
There's usually more to the story so if you have questions or comments about this post let us know!
Do you need a new software development partner for an upcoming project? We would love to work with you! From websites and mobile apps to cloud services and custom software, we can help!
The Enigma machine is a cipher device developed and used in the early- to mid-20th century to protect commercial, diplomatic, and military communication. It was employed extensively by Nazi Germany during World War II, in all branches of the German military. The Enigma machine was considered so secure that it was used to encipher the most top-secret messages.
An original Engima Machine, circa 1945
This project is a high performance Enigma Machine emulator that allows you to:
Just like the physical device, machine state is used to both encipher and decipher text with the same Encipher() method (like a text toggle). Machine state had to match on both the encipher and decipher machines. Each operator would add specific rotors in a specific order, set rotor ring positions and starting rotations, as well as set plug wire positions. This emulator provides virtual versions of all key machine components by way of a deterministic random number generator using AES in counter (CTR) mode.
The emulated components include:
Additionally, characters in the source string that do not exist in the cipher character set are kept as-is in the enciphered text. For example, if you encipher a string with line breaks they are maintained in-place in the enciphered text since neither the classic 26 letter character set nor the 95 character ASCII set contain line break characters.
The emulator is FAST! When using the full 95 character ASCII character set, a large 800KB text string takes about 1 second to encipher. Typical text sizes encipher in a few milliseconds.
The physical machine modified with a plug board provided 150 trillion possible settings combinations for the 26 letter character set, with a 10^16 key space for a 3 rotor configuration. 4 rotors yielded a key space of 10^19, 5 rotors yielded a key space of 10^23, and so on.
So by simply using the full 95 character ASCII character set the cipher strength will be exponentially better than the original machine, even without additional rotors or other configuration, and should meet modern quantum-resistant cryptography needs.
It's easy to create a new virtual Enigma Machine and encipher your own text by using one of the provided presets based on one of the provided historical machine configurations:
Using one of the presets is easy:
It's even easier to use the Enigma Machine for modern encryption, since all you need to provide are a cipher key, nonce, and the number of relevant machine components. There's no need to change rotor ring positions and rotations, or set plug board wire pair values, since your cipher key and nonce are unique and drive the creation of all machine components.
Here's an example of using the Enigma Machine without a historical preset:
You can also create a custom machine by assembling the virtual components, and more. Check out the project on Github.
There's usually more to the story so if you have questions or comments about this post let us know!
Do you need a new software development partner for an upcoming project? We would love to work with you! From websites and mobile apps to cloud services and custom software, we can help!
It's about time… NIST has updated their password formatting recommendations to better align with modern use and the reality of how we use passwords. For example, the new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.
Qualys has a free tool named SSL Labs that anyone can use to check the security of their website TLS certificates and certificate hosting configuration. This is an frequently overlooked area of securing a website and we highly recommend using it on your own website. In fact, we use it on all our website projects to secure our client websites, and dog food it for fynydd.com (we score an A+ by the way).
The SSL Labs tool will evaluate a ton of certificate hosting exploits like BEAST, POODLE (SSLv3), POODLE (TLS), Zombie POODLE, GOLDENDOODLE, Sleeping POODLE, and more.
It will also scan your server's TLS/SSL protocol support to ensure that you're using the latest version (TLS 1.2 at the time of this writing) and that your server has disabled legacy protocols to prevent protocol fallback attacks. In fact, if you're hosting with Microsoft Internet Information Service (IIS) we highly recommend installing the "Setup Microsoft Windows or IIS for SSL Perfect Forward Secrecy and TLS 1.2" PowerShell script to lock down your server TLS/SSL protocol support.
There's usually more to the story so if you have questions or comments about this post let us know!
Do you need a new software development partner for an upcoming project? We would love to work with you! From websites and mobile apps to cloud services and custom software, we can help!
