Rich Fiscus
11 Dec 2012 23:57
A major focus of Windows 8 is convincing users to login using a Microsoft account (formerly Live ID) rather than a traditional local account. A Microsoft account is a sort of portal to access various cloud services including 25GB of free storage via SkyDrive which is accessible directly through various apps in the new modern UI.
While it certainly makes some things much more convenient, it also introduces new security concerns which don't apply to local user accounts. Some are specific to Microsoft's services while others are simply inherent risks which go along with integrating the cloud into your daily computer use.
Some of these issues also apply to Windows 8 workstations in enterprise environments. Although Microsoft account logins don't replace the standard active directory (Windows domain) login system, you can (if your employer allows it) connect a Microsoft account to your regular Windows login. This shifts some of the security burden to your employer's IT department there may still be some measures you should take for yourself.
In this article we will examine 5 things you can do to avoid potential security problems when using your Microsoft account to login to Windows 8. That doesn't mean I recommend doing so. In fact I use a local account almost exclusively, although I do have a Microsoft account. If using this new login method doesn't address some need you
Every Microsoft account must be associated with an email address. Because you can use this email account to reset your Microsoft account password if you forget it or if it has been hacked it's essential that this email account be as secure as possible. When you create
lucyintheskywithdiamondsareforever. And of course since you are using actual words instead of random gibberish you should have no problem remembering your password.
Of course your email account isn't the same as your Microsoft account login. When you create this account you will be asked for another password, unfortunately with the same limitations of their email accounts. They are limited to 16 characters and no two factor authentication is available. However there are some things you can do to improve security.
Here are just a few suggestions:
Hopefully this last one goes without saying, but research says otherwise. Use a unique password. The more places you use a particular password, the more vulnerable each of them is. If you don't think that's a major concern consider what Eric Doerr, a Microsoft manager intimately involved with the development of SkyDrive and Hotmail until 2010, had to say about it in July of this year:
When we get a list, first, we check to see if it actually matches any accounts and passwords in our system. This is done in an automated and secure way so no human actually sees the account info of our customers. You'd be surprised how often the lists – especially the publicly posted ones – are complete garbage with zero matches. But sometimes there are hits – on average, we see successful password matches of around 20% of matching usernames.
Don't add any personal information to your Microsoft account profile without a specific reason for doing so. Microsoft recommends you add as much information as possible. That's fine until someone breaches their security and is logged into your account with full access to all of it.
Adding personal information may be necessary if you are connecting an app or third party service to your Microsoft account. Adding it without any purpose, though, is really only helpful to Microsoft. The more information people include the easier it will be to sell Microsoft account interoperability to developers. From a security (or privacy) perspective the golden rule is less exposure means less risk.
You shouldn't send any information across the Internet without a good reason, and that goes double for storing it in the cloud.
Most people only have a single user account on their computer which means it must be an Administrator account. If you are logging in to Windows 8 using a Microsoft account you should always have an additional local account to use in case your Microsoft login doesn't work for whatever reason.
As long as you make that account an Administrator, and if that's the one you setup when you first install Windows 8 it will be by default, your Microsoft account doesn't have to be. This certainly isn't the most convenient arrangement in the world since some things require administrative privileges to do. If you want to install most software or change certain Winodws settings you will need to login with your local account if your Microsoft account isn't an Administrator.
In my experience most people don't need Administrator access the vast majority of the time. If you aren't sure whether this applies to you it's something you should be able to figure out before you start using Windows 8. When was the last time you installed a program or changed a major Windows system setting. How many programs do you even use?
On the other hand if your Microsoft account password is compromised whoever has access to it, assuming they also have access to your computer, can also do all those things. Access doesn't necessarily mean sitting in front of the computer either. If you have Remote Desktop turned on every Administrator account is automatically allowed to use it. Of course if you don't use Remote Desktop it should be turned off on general principle anyway
In fact if you get right down to it most people shouldn't be logged into your computer as an Administrator even if they aren't using a cloud login. It's yet another established security principle - the same one Microsoft finally adopted with Windows Vista which resulted in all those annoying
Make sure to check the email address associated with your Microsoft account often. If you get an email saying something was changed and you don't know anything about it you should immediately change the password. Likewise if your password doesn't work when you try to login to Windows you should login to the website as soon as possible (using a local account or different computer) and reset the password.