Marc Slemko has written an excellent article about some of the
weaknesses in Microsoft Passport.
"The current implementation of Passport, ignoring the new Windows XP
specific functionality for the moment, is wholly inadequate to this
task. It does not allow for sufficient control over the use of
authentication information by a user and, where current technologies
fall short of the ideal, it trades off security in favor of convenience
in a way that leaves users vulnerable."
"Windows XP attempts to integrate Passport accounts more transparently
with a user's XP login account. This integration, while offering the
potential for decreased security risks if implemented properly, appears
to, in it's current implementation, possibly increases the risk by
allowing the user to be automatically authenticated in situations where
they did not expect to be or explicitly allow it. Further investigation
is necessary to fully understand the security implications of this
poorly documented (and apparently still changing on the Passport
The risk to users today is mitigated substantially by the fact that
Passport use is not all that widespread for anything more important than
Hotmail accounts, and customizations on other Microsoft sites. The
security implications, however, of having this Passport be a single
identity for a user, in widespread use across the Internet, are dire.
It is very clear that either Microsoft does no have sufficient resources
in place to properly review the security of their services and software
(it only took me about 30 minutes to come up with the basics of the
example exploit, why didn't they notice the same issues?) or that they
are aware of the shortcomings but decided that attempting to gain market
share was more important than their user's security. Either way, extreme
caution is necessary when considering the adoption of Passport
technologies and, by implication, any technologies built on top of
Read his full article at http://alive.znep.com/~marcs/passport.
Wired made a
story on this article too.
microsoft are not interested in security [okay: only if it satisfies the
following statements]. they are interested in getting to market and
_keeping_ their market. they are also interested in keeping support
calls to an absolute minimum. they are also interested in backwards
microsoft is interested in _money_ [gosh, is that a crime in business?]
once you realise these things, the resultant outcome[s] become very
obvious and understandable. poor software. multiple updates / upgrades
/ hotfixes. lack of security audits by professionals. the whole
Security and convenience are mutually exclusive. The more security you
have, the less convenient it is. Right now, MS has everything set up to
be as convenient as possible. The only real way to fix these holes is
to reduce convenience, and that's bad for business. Instead, MS will
continue producing half-asses patches as needed.