Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Security

Windows 10 Shares Your Wi-Fi Password With Contacts 487

gsslay writes: The Register reports that Windows 10 will include, defaulted on, "Wi-Fi Sense" which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends. This involves Microsoft storing the wifi passwords entered into your laptop which can then be used by any other person suitably connected to you. If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.
This discussion has been archived. No new comments can be posted.

Windows 10 Shares Your Wi-Fi Password With Contacts

Comments Filter:
  • if that's true, (Score:5, Insightful)

    by unami ( 1042872 ) on Wednesday July 01, 2015 @06:03PM (#50029167)
    no guests with windows laptops on my wifi - i'm not going to change my ssid, microsoft style. ugh. i guess this issue will resolve itself after a short shitstorm.
    • Re:if that's true, (Score:5, Insightful)

      by dinfinity ( 2300094 ) on Wednesday July 01, 2015 @06:13PM (#50029231)

      It seems that there is room for convenient router functionality that asks you this: 'A device with MAC address x requests access to your network: GuestLAN. Allow?'

      Handing out passwords to untrusted parties instead of tokens is archaic anyway.

      • Re:if that's true, (Score:5, Interesting)

        by fuzzyfuzzyfungus ( 1223518 ) on Wednesday July 01, 2015 @07:24PM (#50029649) Journal
        What I would like to see explained in more detail is the claim that 'wifi sense doesn't reveal your plaintext password' during the sharing process.

        My understanding was that(except WPA2 with RADIUS and a suitably chosen EAP) there isn't any provision for authenticating to a password protected AP without knowing the password. The AP itself might be able to destroy the password after it has been set, saving only a hash, as is good practice to keep more important sets of usernames and passwords from being compromised; but the client requesting authentication needs the password. The non 'enterprise' cases were designed to be easy to use, not particularly clever; and MS has limited room to get creative without causing nasty breakage on large numbers of variously dysfunctional legacy APs.

        With a proper full WPA2 setup, or with one of the 'no authentication at the AP; but captive portal and/or VPN is the only way to access anything interesting' arrangements, you have more options; but how can you 'share' authentication to a WPA-PSK or WEP network without also sharing the key? Did they actually come up with something really clever, or does the UI just not show you the password, thus 'hiding' it?
        • Re:if that's true, (Score:5, Informative)

          by Anonymous Coward on Wednesday July 01, 2015 @07:46PM (#50029763)

          Your password is stored and hashed on Microsoft's servers. The hash is sent to your contacts. When they try to connect, their computer sends the hash to yours, which then checks that hash against the one on Microsoft's servers. If they match, then access is granted.

          • Re: (Score:3, Insightful)

            Your password is stored and hashed on Microsoft's servers. The hash is sent to your contacts. When they try to connect, their computer sends the hash to yours, which then checks that hash against the one on Microsoft's servers. If they match, then access is granted.

            So if I am trying to connect how would I be able to send any hash to any computer while I'm not connected?

        • by Anonymous Coward on Wednesday July 01, 2015 @08:23PM (#50029901)

          What I would like to see explained in more detail

          Explanation: Microsoft is widely misunderstood. People think that Microsoft is a software company that does evil. That's not true. Microsoft's main purpose is delivering evil. The software is just a means of doing that. (My opinion, shared with others.)

        • Re:if that's true, (Score:5, Informative)

          by Rutulian ( 171771 ) on Wednesday July 01, 2015 @10:47PM (#50030413)

          I was curious about this too. But the AC below gave a nice hint, so I went looking for a better explanation. Here is the blurb from the Wiki,

          Also referred to as WPA-PSK (Pre-shared key) mode, this is designed for home and small office networks and doesn't require an authentication server.[9] Each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters.[10] If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.[11] WPA-Personal mode is available with both WPA and WPA2.

          So it seems the PSK can be passed around without revealing the passphrase. But if I also remember correctly, the PSK is supposed to rotate (or maybe that's WPA2).

    • Re:if that's true, (Score:4, Insightful)

      by sd4f ( 1891894 ) on Wednesday July 01, 2015 @06:15PM (#50029241)
      Yea i don't get this idea, it absolutely crazy. While I'm sure security experts are going to say why this is a bad idea from the start, at least make it an easy opt out, not some crazy way to not do it.
      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Opt-in would be better.

        • Agreed. As an opt-in feature, it's actually a good idea. I've written down passwords on stick-it notes for visiting friends, and that sort of opt-in password sharing is also not without security issues. My stick-it notes don't self-destruct. I think it also makes it more concrete who really is a friend - a person with whom you're willing to share your wifi password. I think that's actually a pretty good minimum standard for friendship.
          • A better solution would be a standard form of QR code for WiFi configuration info, so you just point your camera at something and now you have WiFi credentials.
    • Re:if that's true, (Score:5, Informative)

      by Anonymous Coward on Wednesday July 01, 2015 @06:57PM (#50029505)

      The Slashdot summary is pure FUD. In the article itself you can see an image of the settings, with a large checkbox to enable/disable sharing with Outlook, Skype and Facebook independently and it also has a large slider above those where you can disable it entirely.

      • by TerryMathews ( 57165 ) on Wednesday July 01, 2015 @07:28PM (#50029681)

        Most people can't be bothered to look at what their computer is doing before clicking an UAC window, you really expect them to properly opt-out of SSID passkey sharing properly?

      • Re:if that's true, (Score:5, Insightful)

        by hawguy ( 1600213 ) on Wednesday July 01, 2015 @07:33PM (#50029711)

        The Slashdot summary is pure FUD. In the article itself you can see an image of the settings, with a large checkbox to enable/disable sharing with Outlook, Skype and Facebook independently and it also has a large slider above those where you can disable it entirely.

        Did you read the box?

        Save on mobile data usage with Wifi Sense. Join in and get connected to WiFi. By using WiFi Sense, you agree that it can use your location.

        Who doesn't want to save on mobile data usage!? How many people will opt-out? Where does it say that by opting in that they are sharing their Wifi passphrase with everyone they share to? It may be obvious to you, but not to 99% of the people that will run Windows 10.

      • Re:if that's true, (Score:5, Informative)

        by MightyMartian ( 840721 ) on Wednesday July 01, 2015 @07:41PM (#50029749) Journal

        I don't care about whether you can prevent sharing with your friends on FB it whatever, what I care about is me not having to alter my network settings so that if I give you access to my WiFi network, you sharing MY network information with the pwoe you're "friends" with.

      • Re:if that's true, (Score:4, Informative)

        by Pope Raymond Lama ( 57277 ) <gwidionNO@SPAMmpc.com.br> on Thursday July 02, 2015 @08:20AM (#50032171) Homepage

        It looks like it is not /. editors who can't read things here, but you. This is the sitautionm - I own Wifi access point "A"; Friend "B" comes by, I physically pass A's password to B. Now "B" is the one with the option to share or not the passwords (and all of them) with all HIS contacts - not mine. And moreover, it will happen by default - if B has 2000 Outlook.com contacts, all those 2000 people will be automatically allowed to connect on my WiFi "A". And the ony means this not to happen is if `B` opt out __all__ his sharing (not just for WiFi "A") or if WiFi "A` SSID is formatted as dictated by Microsoft (i.e., ending in `_optout`).

        This is so insanely ridiculous that there are no word to describe how ridiculous that is.

  • by Anonymous Coward

    I can't wait

  • No (Score:5, Informative)

    by Anonymous Coward on Wednesday July 01, 2015 @06:05PM (#50029177)
    ahhhh no, for networks you have SELECTED to share it can do it. Wifi sense being on doesn't suddenly expose all your wifi passwords. extremely inflammatory summary. still seems a stupid risky feature, just not as dumb as those writing the Slashdot summaries.
    • Re:No (Score:5, Insightful)

      by danomac ( 1032160 ) on Wednesday July 01, 2015 @06:15PM (#50029243)

      However, just because I gave Person A access to my wifi, that doesn't mean I give everyone Person A knows access to my wifi. This could end up in legal hot water territory.

      I guess that I just won't be giving any guests access to my network anymore. They can pony up and get their own mobile data plan for their devices.

      • Re: (Score:3, Interesting)

        Serious question - who here is not running a guest wifi access point? I would never give full access to my network to an unknown device. So I run an open guest wifi which is on a different subnet and has its internet rate limited.

        • Re:No (Score:5, Insightful)

          by amicusNYCL ( 1538833 ) on Wednesday July 01, 2015 @06:34PM (#50029357)

          Serious question - who here is not running a guest wifi access point?

          I'm going to guess the vast majority of people running wifi at home. My office has a guest network, my house does not.

        • I do in the manner you mention but now I am not so worried about it anymore.

        • I don't run an incubator in my house, so usually it's just friends' kids that want to connect their iPhones to my network, thus I have no reason to run a separate guest network, although Tomato on my AP's would make this trivial. The networked computers have passwords for VNC and keys for ssh, and I'm not overly concerned that my friends' kids will have compromised iPhones that want to brute-force anything.

        • Me--because my wifi router is entirely private. Only I use it.

        • Re:No (Score:4, Interesting)

          by vux984 ( 928602 ) on Thursday July 02, 2015 @03:50AM (#50031235)

          . So I run an open guest wifi which is on a different subnet and has its internet rate limited.

          Even my guest network is password protected. Its for my guests not for everybody. If I wanted it for everybody, there wouldn't be a password on it, and people wouldn't need a windows feature to shared with their contacts.

          Many of my neighbors also have guest networks... none of them are wide open.

          This feature is probably the worst/dumbest thing I've seen in Windows 10 so far. Actually no... the inability to disable bing searching the web when you use the search in the start menu is the dumbest hting I've seen in windows 10... if that shit isn't fixed by release nobody should upgrade. NOBODY.

          (And the sad thing is I actually over all like windows 10... but its just stuffed with bloat I don't want. At least most of it I can shut off... live tiles, cortana, using microsoft accounts, etc... but its becoming more and more work to set the settings up right.

          I'm looking forward to a windows 10 de-crapifier powertool shortly after release... hell I'm tempted to write one.

      • by Luthair ( 847766 )
        From a security perspective you kind of do as Person A can give out the password to whomever. That said I agree, I don't like the idea of Microsoft automating it.
        • Just as they say, in the context of backups, that 'if it isn't automated it won't happen'; there is likely to be a considerable difference in the rate of unintended leakage between a 'yeah, I guess I did tell Bob the password, he could pass it on' and 'the password spreads through your entire social group like a bad chain email'.

          This sort of 'friend/acquaintance' attack attack is also exactly where slightly-too-automatic automation makes it really easy to bypass what limited good sense about security hum
    • Re:No (Score:5, Informative)

      by MightyMartian ( 840721 ) on Wednesday July 01, 2015 @06:29PM (#50029323) Journal

      Inflammatory Mode On: Why in the fuck would even want to opt-in to such a service? If it's private WiFi, it's likely to be at my home or my workplace, and in either case I absolutely do not ever want to share that over fucking Fuckbook, Twatter or whatever stupid lame-ass soshial neshworking crap site becomes the next biggest and greatest.

      Rational Mode On: Now let's imagine that my organization has a private WiFi hotspot available for employees and a few others. I do not ever want to have those keys shared outside that group, nor should I have to change MY network with an "_optout" on the end of an SSID. I would consider that a breach of security. Sure, I'll probably be able to disable Windows devices that are domain members via GPO, but if they're not actually devices belonging to the organization, or "Pro" versions of Windows where it even knows what the hell Active Directory is, then MY network is being compromised by this service.

      This is just a plain bad idea, whether you're being reasonable or inflammatory.

    • Re:No (Score:5, Informative)

      by ewhac ( 5844 ) on Wednesday July 01, 2015 @07:10PM (#50029567) Homepage Journal

      ahhhh no, for networks you have SELECTED to share it can do it. [ ... ]

      ERROR: MISLEADING.

      Wi-Fi Sense's default settings are to share everything, all the time. Indeed, Microsoft's rules for shipping Windows Phone 8.1 requires OEMs to turn this "killer feature" fully on. Expecting users to have the presence of mind to turn this off is willfully disingenuous.

    • After setting up the new device adn being prompted "Do you want to share your connection" how many users are gonna think to themselves "Well, yeah, I want to share this with my iDevice and tablet and the $housemate and ... " and click "Yes" ?

  • Beyond Stupid (Score:3, Informative)

    by Mikkeles ( 698461 ) on Wednesday July 01, 2015 @06:06PM (#50029181)

    This is so moronic on so many levels.

  • by MAXOMENOS ( 9802 ) <<mike> <at> <mikesmithfororegon.com>> on Wednesday July 01, 2015 @06:08PM (#50029205) Homepage
    FBI Surveillance Van #1_optout just looks dreadful.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday July 01, 2015 @06:14PM (#50029233)
    Comment removed based on user account deletion
    • This is right up there with their leaving file extensions hidden by default.

      It kind of is, yeah, except it's actually nothing like that. You see, one of them is hiding file extensions, and the other one is giving out your password.

    • No, someone needs to be shot.

      This is the most idiotic thing I've heard of in a long time.

      Microsoft has said "fuck security", and once again have decided to "innovate" something which stupidly becomes a gaping security/privacy hole.

      What shithead thought of this?

      These passwords aren't Microsoft's to share, and decreeing that anybody who hasn't changed their SSID to opt out has consented.

      Fuck that.

      How bout we charge Microsoft with hacking and enabling unauthorized access to computer networks?

      Fucking idiots.

      • These passwords aren't Microsoft's to share

        Exactly. They are no one's to share but the owner of the access point, and when you give your house wifi password to a guest, most of them do understand that it's not ok to give that password to others. That changes when sharing passwords becomes a built-in or even automatic feature; if there's a button to share, it'll give the impression that it is safe and acceptable to do so.

  • First, we're only talking Windows 10 PHONE Secondly, it's only available on networks you choose to allow this on. Third, yes, your wifi passwords are being backed up to make it easier when you migrate devices - Apple, Google and Microsoft all do this on your mobile devices. This isn't new! I can't imagine that this won't be opt in only by the time it RTMs (or whatever the equivalent is).
    • by ArmoredDragon ( 3450605 ) on Wednesday July 01, 2015 @06:35PM (#50029367)

      And if you give your wifi credentials to a guest who needs access to your network, they can opt you in without your permission or even your knowledge.

      The only way then to prevent unknown people from having your wifi password is to forbid Windows 10 mobile users from accessing your network.

    • by ewhac ( 5844 ) on Wednesday July 01, 2015 @07:25PM (#50029657) Homepage Journal

      First, we're only talking Windows 10 PHONE

      ERROR: INCORRECT

      First: This is in Windows 10 desktop, as detailed here, complete with screenshots: http://www.howtogeek.com/21970... [howtogeek.com]

      Second: Even if this were only confined to Windows Phone 10, it would still be monumentally stupid.

    • Apple backs up my passwords with an encryption key which is also protected by a separate password.

      Apple CAN NOT read my passwords, so they can not share them.

      Not sure about Google, but I hope it does the same.

      Microsoft is uploading passwords clear text or in some other equally dangerous form thats decryptable so they can be shared.

    • by flink ( 18449 )

      Secondly, it's only available on networks you choose to allow this on.

      I don't have any choice. If I give my friend my WiFi password, and he happens to be running a Windows 10 phone, suddenly my WiFi password is shared with all of his contacts. So now every time someone is over my house and asks for the WiFi I'll have to ask them if they currently own, or ever intend to own a windows phone. And then, assuming they understand the question, I have to sound like a paranoid asshole and say "no" if they answer in the affirmative. My other option is to rename mySSID to end in _o

  • No worries (Score:2, Insightful)

    by msobkow ( 48369 )

    No worries here. I always disable the WiFi on my routers. I prefer hardwired connections that don't give the router fits trying to perform encryption with their underpowered chips.

  • That feature will have a half life time in the range of days.
    MS is so focussed to make 10 a winner they will flip the default faster than we can get really upset about it.

  • by frovingslosh ( 582462 ) on Wednesday July 01, 2015 @06:29PM (#50029325)

    If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions;

    Not a problem for me, they missed the obvious third solution. Never ever use Outlook, Don't use Skype and don't use Facebook. Problem solved without having to change my SSID. And, of course, there is a fourth solution but that involves using Linux.

    • by ewhac ( 5844 ) on Wednesday July 01, 2015 @07:15PM (#50029611) Homepage Journal

      ERROR: INCOMPLETE SOLUTION

      There is no provision in this "killer feature" that establishes whether the person doing the sharing is the network administrator, i.e. the person who grants authorization to use their network. So if you share your WAP credentials with a friend, and that friend uses Windows 10 with Wi-Fi Sense enabled, than that friend has just compromised your WAP.

      • Well, duh. If you give away your SSID to a 3rd party, YOU have compromised your security, not MS. That's why my guest room has a cat5 ethernet connection. And for special cases I do have an access point that I normally keep off but could turn on if someone shows up with a wifi only device such as a tablet. But the obvious solution for most users is simply be aware of this issue and never give your SSID password to a Windows 10 user. I have no problem explaining why if someone has Windows 10 they will not ge
  • I'm now revising my opinion of Outlook - especially in light of the recently passed Oz laws about pirating. In fact I'm about to order an external antennae for a laptop (trivial) hardware hack shortly.

    There are times when M$'s drive to put stupid in the sysadmin seat make me very happy - this may be one of them.

    No - I don't run Windows as my OS of choice. It's fine for some, in some situations (seriously). But rarely do I celebrate M$ stupid - and this "sounds" like both M$ stupid (I know - they really are

  • I have another way (Score:4, Insightful)

    by Trailer Trash ( 60756 ) on Wednesday July 01, 2015 @06:30PM (#50029337) Homepage

    Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.

    Or, just don't use windows 10. I think I may have found the answer there.

  • Including the one at my jobs ? University ? My City subscription ?

    I can't change the name of the SSD where I paid for the service ???!!!!

    • Thank you for being a friend,
      And sharing WiFi passwords there and back again.
      You're giving me the WiFi key of your favorite restaurant.

      And if they came to your dorm,
      Invited everyone you knew,
      You would see the ugly guy at the back downloading kiddie porn,
      And the FBI would raid you singing "Thank you for filling our jail!"

  • Not Exactly.... (Score:5, Informative)

    by nate_in_ME ( 1281156 ) <me&natesmith,me> on Wednesday July 01, 2015 @06:48PM (#50029453)
    I've been running pretty much every build of Win10 since the preview first came out, and this isn't accurate at all....Yes, the Wi-Fi sense option is there, but when you connect to a new network, there's a "share with my contacts" checkbox that you have to turn ON for this network to be shared. The Wi-Fi Sense "master switch" may be on by default, but you have to specifically allow each individual network to be shared.
    • Re:Not Exactly.... (Score:5, Insightful)

      by MightyMartian ( 840721 ) on Wednesday July 01, 2015 @06:53PM (#50029485) Journal

      That isn't the issue. The issue is YOU being able to share MY WiFi key because I was dumb enough to let a Windows 10 user on my WiFi network. This is akin to me giving you the keys to my house so you can housesit, and you getting a hundred copies cut and distributing them to a bunch of people you know.

      • Fair enough....I haven't tested the "other side" of this (using a shared key to access a network) because I don't use FB, Skype, or Outlook, but I would hope that the option I mentioned earlier (that "share this network with my contacts" switch) isn't an option for networks that you got the key for through Wifi Share. Maybe someone who's actually used the new feature can weigh in on that part of it
      • That isn't the issue. The issue is YOU being able to share MY WiFi key because I was dumb enough to let a Windows 10 user on my WiFi network. This is akin to me giving you the keys to my house so you can housesit, and you getting a hundred copies cut and distributing them to a bunch of people you know.

        So wrong.

        If you *tell* someone your WiFi password *then* there's nothing stopping them from sharing it with whomever they want. So do not do that. Not if he brings OS X or Linux or Windows.

        If you want to allow some friend onto your network but not allow him to share your network with others, then *you* tap in the password at his computer when it connects. On OS X or Linux or Windows. That what you would do today, and that's what you would do when your friends brings a Windows 10. On Windows 10 simply DO NOT

    • by ewhac ( 5844 )

      ...when you connect to a new network, there's a "share with my contacts" checkbox that you have to turn ON for this network to be shared.

      If true, this would be a departure from the Windows Phone 8.1 OEM requirements, which requires OEMs to fully enable this, "killer feature:" https://msdn.microsoft.com/en-... [microsoft.com]

  • ...which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends.

    How many of those people will ever be in close enough physical proximity to your access point to actually need your WiFi password? Seriously? Unless I'm missing something, this has to win "Stupidest Idea of the Year".

  • If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.

    Does adding this also prevent Microsoft from storing said WiFi password on their servers, or just instruct them to not share it out?

  • Dont use the craptastic poorly designed outlook for email.

  • ..that no-one in your contact lists is a secret pedophile or selling stuff on silknet....
  • Is there now a Fools' Day every three months?

    I refuse to believe this.

  • Holy fuck ... (Score:4, Insightful)

    by gstoddart ( 321705 ) on Wednesday July 01, 2015 @08:27PM (#50029921) Homepage

    So Microsoft has taken it upon themselves to share the network credentials with anybody it sees fit?

    Fuck you, Microsoft. How about you help us make networks more secure and not less?

    Not only will I stick with my Windows 8.1 install, but no Windows 10 device will ever get my network credentials.

    This has to be one of the stupidest things I've heard of. And, of course, since Microsoft will centrally store your passwords, law enforcement can subpoena them.

    Microsoft are too fucking incompetent at security to be trusted with this. And then to have the nerve to suggest we have to change our network names to opt out of their shit?

    Fuck you, Microsoft. Fuck you very much.

  • by steevo.com ( 312621 ) on Wednesday July 01, 2015 @10:19PM (#50030355)

    OPTOUT of Windows 10.

  • by grahamtriggs ( 572707 ) on Wednesday July 01, 2015 @11:20PM (#50030521)

    If Microsoft are stupid enough to ship this "feature" - and have it turned on by default - what are the chances that they will be hit with a massive lawsuit?

    No doubt there will at least be group policies - if not it disabled entirely - on professional editions of Windows, because corporate customers are going to run a mile from having external guests authenticating on to protected networks with confidential material, just because they happen to be a contact of the person they are visiting.

  • Do I understand this `feature` correctly? If I enable it then all of my contacts now have access to my wifi credentials. I can imagine that I might want this feature for my wife and kids but there is no way in hell I would want to do this for every contact in my list. My wife I trust but the friend of a friend that I just added to my contact list - not so much (although thinking about it maybe that should be reversed).

    If that is truly the way this thing works then this is one of the more brain dead ideas some clueless program manager came up with (ranks right up there with the idiot that decided that email messages should be HTML formatted and should contain active content).

FORTUNE'S FUN FACTS TO KNOW AND TELL: A black panther is really a leopard that has a solid black coat rather then a spotted one.

Working...