Microsoft Passport.net

Discussion in 'Computer Support' started by Dave Croft, Aug 26, 2004.

  1. Dave Croft

    Dave Croft Guest

    I just signed up for a "@passport.com" This went fine until I tried for a use for it!
    The site says it can be used on any server that accepts it but doesn't tell you of any to try.
    They do have a users list but this has been withdrawn.
    Does anyone use one of these & if so what can it be used for?
    TIA
    Dave Croft
    Dave Croft, Aug 26, 2004
    #1
    1. Advertising

  2. Dave Croft

    Duane Arnold Guest

    "Dave Croft" <> wrote in
    news::

    > I just signed up for a "@passport.com" This went fine until I tried
    > for a use for it! The site says it can be used on any server that
    > accepts it but doesn't tell you of any to try. They do have a users
    > list but this has been withdrawn. Does anyone use one of these & if so
    > what can it be used for? TIA
    > Dave Croft
    >
    >
    >


    Passport authentication directs new users to a site hosted by MS so they
    can register a single user name and password that will authorize their
    access to multiple Web sites. Existing users are prompted for their MS
    Passport user name and psw, which the application then authenticates from
    the Passport user list.

    What it means are those Web sites that have Web applications using the MS
    Passport authentication to login and access the site will use the PP
    authentication. And during your current browser session you went to
    another Web site that uses MS Passport authentication, you would not have
    to present your login credentials again, because they were authenticated
    when accessing the other site. Currently, MS sties that require the user
    to login such as MS Press sites, MS Developer sites use the PP
    authentication.

    As more Web Sites and Web application developers start using the .Net
    solutions, you may see PP authentication come into play in consumer Web
    applications.

    Duane :)
    Duane Arnold, Aug 26, 2004
    #2
    1. Advertising

  3. Dave Croft

    Tech.News Guest

    Dave Croft wrote:

    > I just signed up for a "@passport.com" This went fine until I tried for a
    > use for it! The site says it can be used on any server that accepts it but
    > doesn't tell you of any to try. They do have a users list but this has
    > been withdrawn. Does anyone use one of these & if so what can it be used
    > for? TIA
    > Dave Croft


    You better unsubscribe:

    *Microsoft .Net Passport Services Multiple Vulnerabilities*
    Posted on 10 May 2003

    As contributed to HNS by From: Qazi Ahmed <>:

    PakCERT Security Advisory PC-080503
    http://www.pakcert.org/advisory/PC-080503.html
    Multiple Vulnerabilities found in Microsoft .Net Passport Services
    May 08, 2003

    BACKGROUND

    "Use one name and password to sign in to all .NET Passport-participating
    sites and services."

    DESCRIPTION

    PakCERT has discovered two serious vulnerabilities in Microsoft .Net
    Passport Services, which if exploited, affects over 200 million users
    worldwide. Using these vulnerabilities and the single sign-in feature of
    Microsoft .Net Passport, an attacker can completely take control of a
    user's account including Hotmail email account, personal information,
    credit card numbers, shopping lists etc and use it on any of the .Net
    Passport participating web sites.

    Issue One: Bypass Security Questions

    An attacker can bypass the security questions asked before resetting the
    password. When Microsoft Hotmail/.Net Passport users forget their
    passwords, they have to fill out a web form that requires their email
    address, state, zip code and country. After submitting the correct
    information users are prompted to answer the secret question they entered
    during their signup for the service.

    As a result of this vulnerability, Microsoft Hotmail/.Net Passport users
    who rely on questions like "What's my name?" or "What's my favorite color?"
    could find themselves loosing their accounts.

    Issue Two: Password Reset Vulnerability

    An attacker can reset any Microsoft Hotmail/.Net Passport user account with
    no prior information like state, zip, country, answer to the secret
    question and the old password. Normally, a user has to answer the security
    questions and than answer the secret question if he wants to reset his
    password. By exploiting this vulnerability, an attacker can submit a
    specially crafted URL to get the password reset instructions and reset any
    user's password.

    TECHNICAL DETAILS

    Due to the nature of this vulnerability and the fact that there is no fix
    available yet, no technical details are being made available with this
    advisory. Full technical details will be made available on our website once
    the vulnerability is fixed by Microsoft. Please note that we were forced to
    release this information public as these vulnerabilities are actively being
    exploited in the wild and are one of the most severe vulnerabilities ever
    found in Microsoft Hotmail/.Net Passport.


    --
    *@*
    Tech.News, Aug 27, 2004
    #3
  4. Dave Croft

    Duane Arnold Guest

    In the meantime, the world is going .NET and life goes on and PassPort will
    be used, like it or not. I don't think PP is an authentication that will be
    used to login to a bank or anything of the nature - so big deal.

    Duane :)

    I am an *unregistered* Linux user. Unreg# 99999999999999999
    Duane Arnold, Aug 27, 2004
    #4
  5. Dave Croft

    Tech.News Guest

    <posted & mailed>
    <don't be ridiculus>
    Duane Arnold wrote:

    > In the meantime, the world is going .NET and life goes on and PassPort
    > will be used, like it or not. I don't think PP is an authentication that
    > will be used to login to a bank or anything of the nature - so big deal.
    >
    > Duane :)
    >
    > I am an *unregistered* Linux user. Unreg# 99999999999999999


    It will be a *Big Deal* for the countless of people whose identities will
    be stolen.

    --
    *@*
    Tech.News, Aug 27, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael

    .Net Passport

    Michael, Jun 4, 2004, in forum: Cisco
    Replies:
    3
    Views:
    552
    Michael
    Jun 11, 2004
  2. Alick Lv
    Replies:
    1
    Views:
    3,854
  3. =?Utf-8?B?S2ViaXNob3AzMQ==?=

    Whats wrong with .net passport and IE

    =?Utf-8?B?S2ViaXNob3AzMQ==?=, Oct 14, 2004, in forum: MCSE
    Replies:
    2
    Views:
    731
    Consultant
    Oct 14, 2004
  4. =?Utf-8?B?amFzb24=?=

    .NET Passport Unavailable

    =?Utf-8?B?amFzb24=?=, Feb 28, 2005, in forum: MCSE
    Replies:
    5
    Views:
    465
    Rowdy Yates
    Mar 1, 2005
  5. Sens Fan Happy In Ohio
    Replies:
    0
    Views:
    758
    Sens Fan Happy In Ohio
    Jun 8, 2004
Loading...

Share This Page