When we book a computer into our workshop we use a
paper form which includes a box for the password for the computer we are going
to work on. Often we may also need the password for the customer’s email
account – and we’ll either hack that using a tool called Mail PassView or ask the customer for it if we need to.
I’ve never really thought about the security implications of
this process as I trust my staff implicitly, however we do intentionally keep
the password off the database system as it’s pretty hard to hack a piece of paper, and once
we are done with the worksheet this can be either filed under lock and key, or
shredded and pulped.
If the customer is concerned about their security they have
the option of changing the password afterwards, but in practice I’m sure very few bother
as it’s not always easy to manage, particularly now you have to change it on
all your mobile devices too.
One of the big changes in Windows 8 is the reliance on a
Windows Live ID, which is often associated with the customer’s main email
account. The implication is that we now need the email password to do pretty
much anything on the computer, including tasks such as installing Office 2013
which must be linked to a Live ID account.
Whereas before a single password would give limited access
to a system, with cloud services and Windows Live ID integrating with
everything, it’s a case of one password to rule them all. In many ways this is
great as Microsoft have long been the champions of a single authentication for
everything, but as soon as you need to give your password to a third party for
essential work to be carried out this model presents a huge security risk.
What does this mean for the average Windows 8 user? Well for
starters you need to be able to trust your technical support as never before,
as now they get access to everything. Suddenly that shady PC repair shop on the
corner with the second hand laptops and the phone unlocking sign in the window
isn’t looking so attractive is it?
One of the problems with our industry is that there’s very
little regulation – the organisations that claim to act as trade associations are
mostly just glorified social clubs who would much rather organise another
members’ golf day than actually get involved in policing their members. It’s
left to organisations such as the council run Trading Standards Officers to
weed out the bad boys
In some ways this is good news for us as we work to defined
procedures which include DBS (previously CRB) checking our employees. We also
have excellent relations with our local Trading Standards team and have
assisted them in bringing some of the less reputable operations in our borough
to account.
However I do sometimes feel that companies like ours are in
the minority – I can count on the fingers of one hand the other companies in our
sector that I’d confidently recommend. When it comes to handing over your entire on-line identity what is really needed is something like
a valet key, which are commonly employed in the US where valet parking is
everywhere. This is a clever little key that allows the valet to drive the car
and lock the door, but not to open the boot, for example, and some even turn off the engine if the car travels more than a short distance.
If Microsoft allowed a temporary service account password to
be created that worked alongside the main Live ID this would provide an elegant
solution to the problem. It could be configured to automatically expire after a
set number of days, and could include features such as allowing the ‘valet’ to
see email headers, but not open them to read the full content. So there in a
nutshell is both the problem and a solution. Over to you Microsoft.