Submission details
LAN file sharing login should be more permanent when "remember my credentials" is checked.
When you log into another machine on your LAN, even when you choose "remember my credentials", you must reenter those credentials later such as after a restart. I am not convinced the "remember my credentials" box does anything at all; it seems to be a lame option.
This is annoying because neither the username nor the password, nor even the "remember my credentials" checkbox state are maintained and thus must be frequently retyped. This greatly interrupts flow.
This can also break programs that the user sets up to operate on remote files.
The user should instead be able to enter this info ONCE, check "remember my credentials" (this box already exists in the UI) and expect reasonable persistence.
It should be noted that this may seem to be a "security feature", because if one computer were swapped with a malicious computer, and login was attempted, the password could be stolen. However I must point out that it CAN be done securely in a number of ways using some sort of login session certificate rather than storing the password.
Microsoft CAN and SHOULD implement permanent login in a SECURE way.
Medium
Medium
Not fixed
Discussion (2 comments)
-1 For a good reason. Even if Microsoft make it as secure as possible, it is still a computer program and can still be hacked.
This would make our computers even more succeptible to becoming zombies, so no.
patternjake, what are you talking about? The "flaw" you mention also applies to the existing LAN logins, logins in general, and to Windows as a whole. If windows is compromised even without this proposal enacted, of course a keylogger can steal your password and you are screwed. If anything, the more you type it in, the easier it is for a keylogger to steal since this seems to be the preferred malicious tool.
A secure session certificate would not store your password but only allow those two computers to connect locally once they authenticate each other. It is not less secure than the current implementation. This would in no way enable any new way for one computer to take over another. BOTH computers would need to be compromised to defeat the certificate system, in which case 'security' at this point is out the window.
The bottom line is once your PC is fully compromised you are in SERIOUS trouble as is and you must fix it ASAP. This proposal is independent of this basic tenant.
Also keep in mind we are talking about LAN here (not login over the internet), so for most people it is already limited to other computers in the house.
If there is a true security hole added by this, please spell out a more specific attack scenario that does NOT already defeat Windows as it is now. Otherwise, please don't -1!
AllUltima wrote on January 12, 2010, 8:35pm
Changed problem description.