Microsoft is considering dropping its Windows password expiration policy

Microsoft Corp. Launches Windows 10 In Japan

Microsoft has proposed scrapping a policy in Windows that requires users to periodically change their login password.

In a blog post, the software giant said its new draft security configuration baseline settings would no longer force users whose accounts are controlled by a network’s group policy to change their passwords every few weeks or months.

Microsoft’s draft security baseline documents includes recommended policies that affect entire groups of users on a corporate network, including rules that limit certain features and services to prevent misuse or abuse, as well as locking down certain functions that could be used by malware to attack the system or network.

The company said that the existing password change policy is an “ancient and obsolete mitigation of very low value,” and the company doesn’t “believe it’s worthwhile” any longer.

Here’s what Microsoft’s Aaron Margosis said:

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.

By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.

In other words, Microsoft wants to put a premium on using strong, long, and unique passwords and not on regularly changing them.

Not only does changing passwords every few weeks or months frustrate the regular user, it’s been suggested that it actively do more harm than good. Former Federal Trade Commission chief technologist Lorrie Cranor said in a 2016-dated blog post that forcing users to change their passwords every so often can result in weaker passwords.

“Researchers also point out that an attacker who already knows a user’s password is unlikely to be thwarted by a password change,” she wrote. “Once an attacker knows a password, they are often able to guess the user’s next password fairly easily.”

Not long after, the National Institute of Standards and Technology (NIST), which advises the federal government on cybersecurity practices and policies, revised its own advice to remove policies that mandate periodic password changes.

Bill Burr, the since-retired NIST manager who developed the 2003-dated policy that recommended password expiration policies, expressed regret in a 2017 interview about the policy, saying the rule “actually had a negative impact on usability.”

Although Microsoft’s proposals are still in draft, if passed they could be rolled out in Windows 10’s May Update, expected next month.

Posted in Uncategorized | Leave a comment

Microsoft: FCC massively overstating how many Americans have broadband access

US has “no accurate, comprehensive, and public estimate of broadband coverage”, Microsoft tells lawmakers.

According to Federal Communications Commission chairman Ajit Pai, the FCC’s current strategy has done wonders for closing the digital divide between those with access to broadband and those without it.

The FCC’s actions for “removing barriers to infrastructure investment” coupled with its Connect America Fund have resulted in a significant boost in broadband access across rural America, according to Pai.

Now Microsoft has added its voice to those challenging the accuracy of the FCC’s broadband claims.

As reported by Ars Technica last month, the supposed gains in broadband deployment in the US could have been made by a huge error in the data Pai used to make the claim, which came from a Draft of the 2019 Broadband Deployment Report.

The apparent error, raised by advocacy group Free Press, arose because a new ISP, Barrier Communications, massively over-reported its coverage. The ISP was meant to have reported specific census blocks it serves broadband to, but instead reported that it covered every single census block in the eight states it delivers to.

After removing the Barrier Communications data, Free Press estimated the “the number of Americans lacking access to a fixed broadband connection at the 25Mbps/3Mbps threshold declined to 21.3 million, not 19.4 million”.

The FCC’s current 2018 Broadband Deployment Report indicates that “over 24 million Americans still lack fixed terrestrial broadband at speeds of 25Mbps/3Mbps”. The FCC estimates that “92.3 percent of all Americans have access to fixed terrestrial broadband at speeds of 25Mbps/3Mbps”.

The 2019 broadband report still needs to be voted on, but now Microsoft is challenging the broadband access figures in the 2018 report with numbers that paint a far worse picture of the digital divide. The company is also demanding that the FCC fixes data-collection problems that feed into its broadband report before it releases the new report. 

Microsoft contends the percentage of Americans who lack access to broadband at 25Mbps/3Mbps speeds is “much higher” than the FCC’s estimates. 

“The government’s most current broadband statistics come from the FCC and suggest 25 million Americans lack access to a broadband connection. There’s strong evidence, though, that the percentage of Americans without broadband access is much higher than the figures reported by the FCC,” wrote John Kahan, Microsoft’s chief data analytics officer.

Microsoft decided to release its own data ahead of Wednesday’s “Broadband Mapping: Challenges and Solutions” hearing being held by the US Senate Committee on Commerce, Science, and Transportation.

Rather than 25 million people without broadband, Microsoft’s research indicates “162.8 million people are not using the internet at broadband speeds”.

The figure is derived from data Microsoft collects to improve the performance and security of its own software and services. Given Microsoft’s regular updates to Windows users, which can be gigabytes in size, the company would be well-placed to know the state of broadband in the US.    

“Our results align well with the FCC’s broadband subscription data and the Pew Research numbers, which suggests these data sets are far closer to the mark then the broadband access data reported by the FCC and leaves us with the inescapable conclusion that today there exists no accurate, comprehensive and public estimate of broadband coverage in the United States,” continued Kahan.

Kahan uses Ferry County in Microsoft’s home state of Washington as an example. The FCC’s data, based on form 477 filings, indicates the county has ubiquitous broadband coverage. Microsoft’s data however shows that only two percent of Ferry County is using broadband.

The same goes for Mississippi, where the FCC indicates broadband is available to 97.1 percent of people in Tishomingo County, Microsoft’s data shows only 3.6 percent of the county uses the internet at broadband speeds.  

Kahan says there are “significant discrepancies across nearly all counties in all 50 states”.

The company says there is a major problem with the FCC’s reliance on Form 477, which asks providers whether they are “providing or could …without an extraordinary commitment of resources provide broadband service to an area”.

If the provider answers yes to either question, the FCC considers the area covered, even if the area isn’t and the provider has no plans to.

The other key problem is the FCC’s use of census blocks, which lacks location specificity.

“In rural areas, these blocks can be quite large. If broadband access is delivered to a single customer in that block, the entire block is counted as having service. We must be able to count those within the census block who are unserved,” wrote Kahan.

Microsoft has asked members of the Commerce committee to remove “could provide” from the question in Form 477. It also wants the FCC to use “both availability and actual usage (and/or subscription data)” to guide investment.

Finally, it wants the FCC to fix the availability data collection and reporting problems before it releases the new report on broadband mapping.

“Our data science team has reviewed the draft report from the FCC and compared it to our latest usage data. We found that the increase in access reported in that draft document has not translated into broadband usage growth, especially in rural areas. This demonstrates the need to make significant adjustments to methodology prior to release,” wrote Kahan.


Microsoft has published maps showing large differences between claimed broadband access and actual usage figures.

Image: Microsoft

Posted in Uncategorized | Leave a comment

Windows 7 problems: Microsoft blocks April updates to systems at risk of freezing

Microsoft halts Windows 7 patches for Sophos users after updates trigger boot failures, which also affect Avast users.

Microsoft has blocked this week’s monthly and security-only Windows 7 and Windows 8.1 updates for Sophos antivirus users after widespread reports that computers failed to boot after installing them.

The updates caused dire problems for Windows 7 and Windows 8.1 systems running Sophos Endpoint Security and Control and Sophos Central Endpoint Standard/Advanced. The same issues affect their corresponding Server versions, Windows Server 2008 R2 and Windows Server 2012.   

The problems are caused by Microsoft’s Tuesday Windows 7 and Windows 8.1 monthly rollup and security-only updates KB4493467, KB4493446, KB4493448, KB4493472, KB4493450 and KB4493451.

“Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update,” Microsoft said in an update on Thursday morning, European time.

Sophos has warned customers against installing these updates if they have not done so already. Customers this week report that computers have been failing to boot after installing them.

Sophos is telling users who have installed the update to boot into safe mode, disable Sophos antivirus, then boot into normal mode and uninstall the problematic Windows update. After that, users should re-enable Sophos antivirus.

As reported by Ask Woody, the Windows 7 updates also appear to be causing issues with systems running Avast antivirus.   

Avast says Windows 7 machines in particular “are becoming locked or frozen on startup after Microsoft updates KB4493472, KB4493448, and KB4493435”.

Microsoft hasn’t listed a block on the updates for Avast users.

Avast customers with Avast for Business and Avast Cloud Care, primarily on Windows 7, have reported machines becoming “stuck or frozen on the login/Welcome screen”. Some users cannot log in at all, while other users can log in after a “very extended period of time”.

Avast says some customers have been able to log in after booting the machine into Safe Mode and also recommends rolling back the Windows updates.

Posted in Uncategorized | Leave a comment

This Is How Often You Should Be Rebooting Your Router

Dual band wifi router indication© Provided by Trusted Media Brands, Inc. Dual band wifi router indication

The Internet: can’t live with it, can’t live without it. Whether you’re using it to pay your bills online, watch your favorite streaming service or connect with friends via social media, a strong Internet connection is a crucial staple in many households. But just as shutting down your computers can benefit its performance, rebooting your router can also help.

“There is no perfect or scientific answer to this question,’ says Rob Rohrman, head of IT at CompTIA. ‘In general, it’s a great idea to reboot the main Internet router every couple of months. A router reboot can fix certain Internet connectivity issues, from no Internet connectivity to slow wireless connections, and should be one of your first troubleshooting steps in a home or consumer environment. It’s also a good security practice to reboot the router every once in a while.”

The benefits of regularly rebooting your router are twofold. If you want a faster connection, you should be regularly turning your router on and off. According to Consumer Reports, your Internet provider assigns a temporary IP address to each of your devices which can change at any time. If your router doesn’t catch the change, your connection can become slow. The same can happen if you have too many devices connected to your router.

“From a performance perspective, restarting your router every so often (once every one or two months) can help maintain the reliability of your home network,” Nick Merrill, founder of cybersecurity consultancy Broad Daylight, explains.

But restarting your router is about more than just getting a speedier connection for online shopping. It’s also a way to prevent yourself from being hacked.  Last year, the FBI recommended all home and small business routers be rebooted after foreign hackers compromised thousands of networks worldwide. Using a malware called VPNFilter, the hackers were able to collect information, exploiting the device and blocking network traffic, rendering the routers inoperable. Shutting off the device would temporarily disrupt the malware. Merrill also recommends keeping your firmware, which provides network protocols, security, and administrative controls, updated to prevent further security threats and restarting after every update.

“In the vast landscape of strategies for improving one’s relationship with technology, restarting or resetting one’s router is really not the first thing on my mind,” Merrill said. “That said, if you’re really paranoid type, it’s worth patching the firmware on your router and doing a factory reset on it. As they say, an ounce of prevention is better than a pound of cure. Adware and malware blockers on your computers and your network gateway will make it much less likely that you’ll need to reset your router.”

While experts agree rebooting your router isn’t an exact science, it’s a simple thing to do when facing Internet woes or security issues.

Posted in Uncategorized | Leave a comment

Chromium-based Microsoft Edge will be able to stream videos in 4K

Microsoft is almost ready to officially roll out the Chromium-based Microsoft Edge. Early leaks have already given us a fair idea of what to expect but it looks like Microsoft might have a surprise for us.

It looks like Chromium-based Microsoft Edge would be able to support 4K video streaming. First spotted by HTNovo, a flag inside Microsoft Edge would allow users to enable 4K streaming. This is a big deal since Microsoft Edge is the only browser to natively support 4K streaming. Microsoft will be using PlayReady to support 4K streaming on Edge. Unfortunately, this will work only on Windows 10 which means older version of Windows or other platforms won’t support 4K streaming.

This should give Microsoft a competitive advantage as the company looks to acquire market share which is dominated by Google Chrome.

Posted in Uncategorized | Leave a comment

Even great keyboard cases can’t make iPads viable work computers

Tomorrow, the iPad officially turns nine years old, so it’s been almost a decade since Apple began selling tablets as “post-PC” computers. I’m a day one iPad user and consider myself a fan: I attended the original model’s January 2010 unveiling, bought both Wi-Fi and Wi-Fi + 3G Cellular versions when they hit stores, and have either purchased or used every model Apple subsequently released.

But after nine years, I’m not blind to the iPad’s persistent weakness: Regardless of whether I spend $329 on an entry-level iPad or $999 on a laptop-sized 12.9-inch iPad Pro, I still can’t use an iPad for work. Apple has created hardware that’s fantastic for reading and entertainment, but its iOS software deliberately keeps iPads from wholly replacing laptops, despite accessories that have tried for years to make that possible.

Recommended Videos

Apple Upgrades iPad Air And iPad Mini

According to Tech News World Apple has announced a new 10.5-inch iPad and a refresh of the iPad mini. The iPad Air features 64 gigabytes of solid-state storage and WiFi support, as well as Apple’s newest cutting edge mobile processor, the A12 Bionic chip. The upgraded version supports Apple Pencil and a smart keyboard. The 10.5-inch model will sell for $499. The 7.9-inch iPad mini also features the A12 chip and WiFi support. The mini will sell at a base price of $399.

This should be embarrassing and concerning for Apple, but apparently it’s not. At one point, iPad sales were growing steadily every year, but they plateaued years ago and haven’t changed much since then. Numerous journalists and customers have asked Apple to do something big to move the iPad forward, but they’ve been met with the digital equivalent of silence. Meanwhile, we get “what’s a PC?” ads and “most powerful iPad ever” keynotes — heavier-handed marketing rather than anything bold in iOS software.

From my perspective, the “something big” next step has been obvious since the day the iPad was confirmed to run iOS: Enable at least some iPad models to transform into full computers. Treat the iPad like the lid of a laptop, add a proper keyboard and trackpad base to it, and either update iOS to run Mac apps in windows or let iPads dual-boot macOS as needed. This is a no-brainer solution — even after its disastrous Tablet PC initiative, Microsoft figured it out immediately with Surface.

Above: A mockup of how an iPad Pro would look running macOS. Missing: a trackpad for precision navigation.

Image Credit: Jeremy Horwitz/VentureBeat

Professional users would likely pay as much as $300 for an iPad Pro-exclusive keyboard, trackpad, and extra storage accessory with its own macOS partition. If it was offered at a more affordable price for regular iPads, as well, it would probably be the most popular iPad accessory in the world besides Lightning cables.

Instead, Apple has kept iPad prices artificially high, and focused on small tweaks. Amazon sells 7-inch tablets for $50, and Apple sells 7.9-inch tablets for $399 — certainly better tablets, but for many users, not eight times better tablets. Meanwhile, the iPad version of iOS has settled into functional stagnation, and Apple’s once cutting-edge tablet form factor became predictable: a slave to hand-me-down flagship iPhone technologies and designs.

There are now more “types” of iPads than ever, but they’re all really the same device with different screen sizes and accessories. The just-released iPad mini and iPad Air models are undeniably boring — not bad, but not remotely new in any way. This photo shows five different iPad models including the latest basic, midrange, and professional devices, yet most people would be hard-pressed to tell them apart. Even the latest iPad Pros’ most conspicuous changes were small details like rounded screens and new accessory connectors.

So when my editor asked me whether I’d be interested in writing about using my iPad Pro as my work computer, I was conflicted. On one hand, I’d love not only to be able to do that, but to write about being able to do it. But in a work environment that requires me to keep several windows open at once and occasionally jump into various background apps, using an iPad is literally impossible. And little has changed in that regard for years.

On paper, using the iPad for work is feasible. Geekbench 4 benchmarks establish that my October 2018-vintage iPad Pro destroys the October 2016 MacBook Pro I use every day for work. In single-core performance, the iPad scores 5,000 versus the MacBook’s 4,000, while the iPad’s 17,700 multi-core score is more than twice the MacBook’s 8,000. The iPad even wins Geekbench’s Compute test for Metal graphics performance, rating 40,650 to the Mac’s 39,140. Based on raw computing power, anything my Mac can run, my iPad Pro can run faster.

Above: The current 11-inch iPad Pro outperforms a two-year-old midrange Apple laptop.

Image Credit: Jeremy Horwitz/VentureBeat

Moreover, I actually enjoy working on a small screen — my favorite overall MacBook was my old 11.6-inch Air, so my 11-inch iPad Pro would be an easy transition for work. I already love using it for non-work purposes, and routinely spend hours consuming content on it at night. With the right screen settings and the ability to open apps in overlapping windows, it would work well, with no need for squinting and minimal compromises.

To pull this off, Apple would need to update iOS with macOS-like windows, as well as adding support for trackpad or other precision pointing accessories like what I described above. I’ve owned and liked both generations of the Apple Pencil, but they’re no replacement for a proper trackpad; a smaller version of the Magic Trackpad would be great.

As much as I like using Apple’s Mac keyboard and pointing accessories, its iPad accessories have left me unconvinced that it has iPad users’ best interests at heart. I’ve tested Apple’s latest iPad Pro Smart Keyboard Folio, which felt cheap and ridiculously overpriced, as well as its predecessors, which felt … cheap and ridiculously overpriced. Besides Apple solutions, I’ve used plenty of third-party keyboards that only under the best circumstances were good enough to type on.

Starting today, there’s a new Logitech keyboard for the iPad Pro called the Slim Folio Pro, and it gives Apple’s highest-end tablets keys that are similar to a MacBook’s — complete with backlighting, automatic on-off power management, and three months of rechargeable Bluetooth battery life. For $120 (11-inch) or $130 (12.9-inch), it’s $50 to $70 less than Apple’s Smart Keyboard Folios, and can strap in an Apple Pencil for the times you need a precision pointing device.

I wouldn’t necessarily call Slim Folio Pro “slim” when it’s closed, as it roughly triples the iPad Pro’s initial thickness and adds a few extra millimeters to its edges. But it feels solid, its magnetic Pencil holder folds back perfectly, and it’s a great typing surface. If I didn’t have to keep multiple windows open, the Slim Folio Pro and Apple Pencil combo would get me very close to a usable work computer. It’s also worth noting that if I could dispense with a separate 13.3-inch laptop, I might have even considered buying the 12.9-inch iPad Pro.

Unfortunately, there are too many “ifs” there, and resolving them requires not just a great keyboard case, but a better pointing solution and major changes to the iPad’s operating system. After years of waiting, I’ve stopped holding my breath for the company to do anything game-changing with its tablets.

No one I know personally has successfully made the transition from laptop to iPad as a work computer, and those who once discussed it gave up long ago. That’s not to say that Apple hasn’t found business or enterprise customers for iPads — they can be nice cash registers, sales tablets, and even artists’ drawing surfaces — but for many professions, even an iPad Pro won’t do. iPads require contortions if professional users want to create articles, edit photographs, and keep in touch with coworkers, and professionals shouldn’t need to contort to work.

Contortions aren’t necessary in the PC world, where plenty of people have done full transitions to convertible Surface Pros. They’re able to use the Windows environment and apps with a detachable keyboard and as-needed pointer for work, then transition to tablet-only mode for entertainment. Improbable as it might have seemed when Apple began the iPad march years ago, I now see Surfaces popping up in airports, cafes, and classrooms that used to be dominated by Apple logos.

There are rumors that we’ll see a new iOS interface for the iPad this year — and perhaps more computer-focused features — at Apple’s June WWDC in San Jose. As the stories go, Apple pushed off its major iPad-focused overhaul from iOS 12 to iOS 13 in favor of resolving under-the-hood problems, a software decision that might have weakened last year’s iPad Pro sales pitch despite the complete hardware redesign.

If iOS 13 indeed delivers a hugely better iPad experience, I’ll happily revisit my conclusions here. If not, it will be safe to say that as Apple marks a decade in the “post-PC” era, it will still be maintaining artificial barriers to keep its traditional PCs viable, even if its competitors ironically have decided to “think different.”

Posted in Uncategorized | Leave a comment

Hackers took over Asus updates to send you malware, researchers say

Kaspersky Lab estimates that the attack could have affected more than a million users.

Asus Zephyrus GX531GS

Thousands of Asus computers were infected with malware from the company’s own update tool, researchers from Kaspersky Lab said Monday.

The researchers discovered the attack in January, after hackers took over the Asus Live Update Utility to quietly install malware on devices. The hack was first reported by Motherboard.

The hack, which Kaspersky Lab is calling Operation ShadowHammer, went on between June and November 2018. Kaspersky Lab found that it affected more than 57,000 people using its products.

The Russia-based cybersecurity company was only able to find those numbers for its own users, and estimates that the malware could affect more than a million Asus owners worldwide. The update tool is preinstalled on the majority of new Asus devices.

The attackers were able to infect devices without raising red flags because they used Asus’ legitimate security certificate, which was hosted on the computer manufacturer’s servers.

Asus is a Taiwan-based computer company, and one of the top consumer notebook vendors in the world, with millions of laptops worldwide. The company did not respond to a request for comment.
“The selected vendors are extremely attractive targets for APT [advanced persistent threat] groups that might want to take advantage of their vast customer base,” Vitaly Kamluk, director of Kaspersky Lab’s Global Research and Analysis Team, said in a statement.

Malware can arrive on your devices in a lot of ways — downloading a file from an email, opening a PDF you shouldn’t have or via browser-based attacks.
The hack on Asus’ automatic update tool points to another kind of concern, in which people have to be worried about patches from the source itself as hackers seek to exploit a trusted relationship. Supply chain attacks are not new: In 2017, the popular software tool CCleaner was hijacked to install malware on millions of computers.

Distrust in automatic updates leads to another kind of threat, as many companies often rely on people to patch their devices to defend against new malware. The majority of computers infected with the WannaCry ransomware, for instance, were hit because they didn’t install a security update issued in 2017

While it’s capable of attacking millions, the malware had a specific set of targets, researchers found. Once it was installed, the backdoor checked the device’s MAC address. If it matched one of the hacker’s targets, it then installed another set of malware, researchers said.

Kaspersky Lab researchers said they identified more than 600 MAC addresses, and released a tool for people to check whether they were targeted by the attack. The cybersecurity company said it’s notified Asus, and the investigation is ongoing.

Posted in Uncategorized | Leave a comment