Windows 8 Local Account vs Microsoft Account, Linking a live id to a Local account without switching to a Microsoft account

    General discussion

  • I want to share with you my thoughts about the new windows 8 feature that allows to create Microsoft accounts or use already existing ones to sign in in to windows 8 machines.
    About signing in to Windows 8 with a Windows live id I read an article from David Burt at http://blogs.technet.com/b/privacyimperative/archive/2011/09/28/signing-in-to-windows-8-with-a-windows-live-id-privacy-and-security.aspx 
    Even if I perfectly realize the benefits of logging in with a windows live id, that is synchronizing settings, data and credentials between different devices I think that, at least for my personal need, the security of signing in into windows 8 with a windows live id is not even comparable with the one you get signing in with a standard local account.
    Obviously I think that a Local account is much more secure than a Microsoft one and I will try to explain why.
    In the next reasoning I am assuming to protect the Windows 8 pc used to sign in with bitlocker with tpm using an encryption key of 256 bit so offline attacking it cannot be considered a real risk.
    In the above article it is explained that no data is roamed over wwan and that all data and settings that leave your PC are transmitted using SSL/TLS and certainly both these two things are very positive.
    When I sign in in to a windows 8 machine that is connected to the internet using a microsoft account the live id password is sent encrypted over the internet in order to be validated.
    I think that, if the validation mechanism is similar to the standard local account one, the password is sent through the internet to the live.com servers in an SSL/TLS encrypted form and then, after decrypted by the live.com server, the web server calculates the hash of the clear password and, if it is equal to the one stored in the live.com servers, access is granted.
    First of all the above is the first big difference, that is in local account password validation the clear text password is stored in protected memory and never leaves the pc, while in the microsoft account case, even if encrypted, the password leaves the pc and traverses the internet so it is exposed to attack much more than a password that leaves inside protected memory.

    We can discuss about the length of the ssl/tls key encryption to strengthen the security of the live id password while traversing the internet (By default in windows 8 pc, when connecting to live.com servers, the ssl/tls encryption uses a 128 bit key, but this can be changed through group policy in order to use a 256 bit encryption key so that a force brute attack against live id password would become much more difficult but I doubt this (the possibility to change the ssl/tls encryption key length) will be a possibility in the upcoming windows phone 8 system that, I think, will use the same authentication method, that is it will use the possibility to sign in with a live id account. (Otherwise I cannot understand why Microsoft added the pin password method in windows 8))
    but the point is that, in any case, the encrypted password leaves the pc while in local account validation the password is inside protected memory and remotely attacking the protected ram of a Windows pc is obviously much more complicated than intercepting an encrypted password over the internet.
    Second, if someone was able to intercept the encrypted password, in the very rare case he/she could be able to decrypt it he/she not only would be able to access all the data (included all the other web sites credentials and eventually the bitlocker keys that the user can store in skydrive) inside the live account but he/she would also be able to decrypt the efs files the owner of the live id may have on his/her pc if the attacker could gain physical access to the computer, because decryption of efs files is possible only with a key derived from the logon password that is able to decrypt the private key of the certificate used to encrypt the files.
    These risks can be acceptable for most of the people but I think that It is not acceptable for the ones who have very sensitive data to protect.

    Following the above reasoning I don’t understand why, at least in the consumer preview, Microsoft didn’t give the possibility to use a local account and link it with a live id account exactly like you can do on windows 7.
    If, in Windows 8, It could be possible to link a local account to a Microsoft account an attacker who decrypted the Microsoft account password couldn’t decrypt the local efs encrypted files, obviously assuming that the local account password was different from the live id password.
    A part from the security aspect that I consider the most important one, I also don’t understand why to use the skydrive metro app (and possibly the skydrive desktop app that is not still available) and to sync the settings, the credentials and the data with other devices it is mandatory to switch to a Microsoft account.
    If , again, it could be possible to link the local account to a Microsoft account the live id credential could be stored in the windows 8 credential manager and used for all its scopes, that is connecting to all the live services (metro style apps included) without having the user to input the password every time and allowing a new device with the same linked live id to be added to the trusted ones and consequently synching all the live id data/settings/credentials with this new device.
    I hope that someone at Microsoft will take his/her time to read my post and eventually consider to include the possibility to link a live id to a local account like it was on windows 7.
    If this will not be the case I hope that someone at Microsoft could correct me if something I wrote is wrong and give me an explanation of the reasons why it hasn’t been added, at least as an option, the possibility to link a live id to a local account.
    Thanks a lot for reading
    Best reagrds

    Monday, March 19, 2012 9:08 PM

All replies

  • Thanks, Vladimir, for taking your time to read my post.

    I want to add a further security consideration about my first post.
    A paranoid user that wants to be sure that his/her local account password is never used by the os without his/her permission could, in theory, decompile or disassemble the os kernel code in order to be sure that his/her credentials are never used outside his/her intent.
    When the authentication is performed remotely by a web server the user cannot do the same, that is he/she does not have access to the web server code that performs authentication and he/she cannot be sure that his/her password is used outside his/her intent. This is obviously true for all the web services that require authentication and not only for live services and we need to live with that.
    I am not saying I do not trust Microsoft or Facebook or Twitter, I am simply saying that I have no control over their web server authentication codes and I just need to trust them if I want to use their online services.
    The point is that a compromised web service account password is very different from a compromised local administrator account password, the user must realize that and should never use the same password for web services and local account administrators, this is the reason why I do not encourage users to sign in to Windows 8 machines using a Microsoft account.
    Other than that, a local account has total physical control of his/her machine and the same cannot be said for the servers that store your web services data, credentials and settings. I am free to encrypt my machine using bitlocker or other tools, do the remote servers encrypt their content too to protect data from offline attack? I don’t know and even if they say so I cannot be sure they really do that, again this is not a matter of trusting them, I simply do not have control over that.
    Are the web servers well physically protected from malicious insiders or outsiders and are the web servers well protected again remote virus injections? I don’t know and even if they say so I cannot be sure they really are. I have total control of my machine, I can control and protect the machine physically and I can check the codes that run on it.

    Tuesday, March 20, 2012 8:24 PM
  • Hi,

    I have just had the issue where my Windows 8 PC was not connected to the internet - I was asked to login with a local account, but I was unable to log in, all because I had created my account using a Windows Live ID, and had never had the opportunity to set a local account password.  This was of great concern. Eventually the only solution I could find was to connect to the internet, log in using my Windows Live ID and then switch to a local account. I presume that if I now switch to using my Windows Live ID once again, when not internet connected, I can now log in with the local account and password that I have created today.

    Any thoughts on this issue?

    Tuesday, November 13, 2012 12:51 PM
  • Hallo.
    The first time you set up Windows 8, if an internet connection is detected, you will be offered the option to sign in to the machine using a Microsoft account, otherwise you will have the only option to create a local account.
    If you successfully signed in with a Microsoft account, you can sign in later to the machine using the same Microsoft account even if your pc is not connected to the internet because the hash of the Microsoft account password is saved locally, just like it happens when you logon to a machine that is joined to a domain but you are not connected to the domain.
    Anyway the security of a Microsoft account Windows 8 signing method is almost non-existent.
    Just to add further details to my first posts I also discovered that no one of the group policies that are enforced for a local account works with a Microsoft account. Just to mention what I believe is one of the most important one, when you enforce an account lockout policy, this policy is simply ignored when you logon to a Windows 8 machine using a Microsoft account, that is, no matter how many times an user input the wrong password, the Microsoft account won’t ever be locked.
    Just don’t use a Microsoft account to sign in to a Windows 8, it’s unbelievable that Microsoft added it as an option for signing in a Windows 8 machine.

    Wednesday, November 14, 2012 10:12 PM