User name and password-based authentication
The most common method of authenticating users is by user names and passwords. Windows 8 can use two possible types of user name and password credentials:
When an employee signs in to a computer joined to a domain, Windows
passes the request to a domain controller, which checks the credentials
provided against the domain’s list of user accounts. In Active
Directory environments, this is handled by Kerberos, which verifies the provided credentials and determines whether the sign-in should be allowed. Kerberos is a standard authentication
protocol Windows (and other operating systems) uses to identify users
during the sign-in process. If the credentials are correct, Kerberos
provides resources to the account that allow it to access resources
within a domain. This enables an authenticated user within the domain
to access any resources for which he or she is authorized throughout
the domain.
For example, Fernando is a user in the shipping department at
Tailspin Toys. When he arrives at his desk in the morning, the first
thing he does is sign in to Windows. Tailspin Toys uses standard user
name and password authentication; Fernando enters his user name and
password. When he clicks OK, the local Windows-based computer passes
these credentials to a domain controller within the environment. When
the domain controller receives the request, it checks the credentials
against the Active Directory database. This includes:
-
Making sure the account exists.
-
Distributing an encrypted ticket and hashing the account password for access to other resources in the domain.
-
Checking the age of the password, if enforced.
-
Ensuring that the user account is not locked out for exceeding the
number of sign-in attempts allowed by the organization’s security
policy.
After these items have been verified, Kerberos returns a ticket for
the user account. This ticket allows the user to access any resource
that exists within the domain and for which the account is authorized
without further proof of identity. Fernando can then access the printer
down the hall from his desk and his email without further sign-ins.
This is sometimes referred to as single sign-on (SSO).
If the sign-in attempt does not succeed, perhaps Fernando’s password
recently changed, and he has misspelled or forgotten it. When Fernando
attempts to sign in, Kerberos uses the Key
Distribution Center to issue a ticket for this sign-in. If the user
account can decrypt the ticket and passes preauthentication checks for
the provided username, the authentication passes. Providing the wrong
password would not allow the information to be decrypted when it is
returned and would cause the sign-in to fail. When the credentials fail
to pass verification, Windows displays a message telling Fernando that
the information provided was incorrect.
Using a user name and password
combination is the default sign-in method in Windows 8; however,
configuration settings can make this method more secure. Some of these
options include:
-
Password expiration
-
Password length requirements
-
Password complexity requirements
-
Minimum and maximum password age configuration
-
Password history retention
Windows local
accounts allow passwords up to 256 characters in length; your
organization might have policies that impose restrictions on that limit.
Important
THE CLOUD CHANGES THINGS
Because Windows 8 connects to the cloud by using a Microsoft
account, which is the default selection during setup, the password
entered is limited to 16 characters. If you want to use a
longer/stronger password, use a local account instead of a Microsoft
account for your computer.
Password settings for a local computer are specified in the local computer policy, as shown in Figure 3. To start the Local Computer Policy snap-in, complete the following steps:
-
Select the Settings charm.
-
Select Control Panel.
-
Tap or click the System and Security category.
-
Tap or click Administrative Tools.
-
Select Local Security Policy.
You can configure the following password settings:
-
Minimum and maximum password age
Using these two settings, as the administrator you can specify the minimum and maximum age for a password. The Minimum
Password Age determines the smallest amount of time, in days, that a
password must exist before it can be changed. The default is 42 days if
the policy is enabled. The Maximum
Password Age specifies the number of days that a password can exist
before it expires and Windows requires the user to change the password.
-
Password length requirements The Minimum
Password Length setting enables you to determine how many characters
long a password must be. The maximum length is 256 characters.
-
Password complexity requirements
This option enables you to require combinations of characters in a
password. For example, you can require that passwords include uppercase
and lowercase letters, that they be alphanumeric, or even that they
include special characters.
-
Password expiration
This option works
with the password age requirements. When a password is set to expire,
it will expire after it reaches the maximum age. You can also set a
password never to expire, which disables the minimum and maximum age
requirements.
-
Password history retention
Windows can
remember a designated number of previous passwords. With this setting
enabled, users within your organization will have to generate unique
passwords each time they change their password until they have
surpassed the number of passwords remembered. For example, if this
setting is configured to remember three passwords, then on the fourth
password change, the original password could be used again.
These settings exist to help you make passwords a more secure authentication method. Because many organizations might not choose to invest in other authentication technologies, the user name and password sign-in should be capable of providing as secure a method as possible for authentication.
Note
SECURITY ALERT EDUCATE USERS ON SECURING PASSWORDS
Often, imposing strict and strange password complexity requirements
on users will cause them to write down their password. This information
is often stored under the keyboard or in a top desk drawer, and is
therefore easily accessible to anyone in the building. One way to avoid
this practice is to educate users about how the password is intended to
work. You can also encourage users to use a pass phrase instead of a
singular word with misspellings. Using a phrase related to a user’s
hobby or something the user enjoys can provide more secure passwords
than you might think.
