MD5 Password and Salt strategy

Hey all.
I'm about to implement encyrypting our application passwords into the db using MD5.
It was brought to my attention that I should use some 'salt' on the password to help avoid a dictionary attack on the encrypted passwords in the db. This is not a big concern, as our db is protected, and if someone is running queries against it, they pretty much have the whole system. I do however want to do a good a job as possible, so if it adds some security to it, then why not.
So what is a realistic approach for this situation. Would I just encyrpt 'password' + 'username', where 'username' is the salt. I've seen some mention of using something random for salt, but how would I track that when I need to check the password when the user logs in?
Any advice on the topic would be appreciated.
Regards,
Vic

I recommend reading the PKCS#5 standard which is available at http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html. Chapter PBKDF2 describes just what you are looking for with the addition of an iteration count. If you have just one field to store the hashed (not encrypted) password you can concatenate the salt and the password hash to form one field.
The salt has to be unique among the users, so using the user name as the salt is quite appropriate.
Oh, and remember to store the hash as something readable like in Base64 encoding or as a hex string.
Regards,
Frank

Similar Messages

  • Migration Users with MD5 Passwords to Directory Server 6.1 on Solaris 10

    Hi,
    We are currently in a requirement of migrating some users to a application database to inside LDAP. Currently Application maintained the passwords in the MD5 hash form. Typical 32 digit Hex value - 41da76f0fc3ec62a6939e634bfb6a342
    Is there a way we can migrate these Users password to directory Server as-is so that they don't end up facing the prospect of resetting post migration.
    I have done some of the initial ground work but seems to be missing other critical info if at all it's possible.
    I believe it's possible to have CRYPT password policy (which directory server uses from underlying OS) as one of the plug-ins to configure in a way that underlying CRYPT utility starts to process/provide/support MD5 hashes. I got it to work, my using the below command on DSEE instance:
    dsconf set-plugin-prop -p 389 CRYPT argument:'$md5$'
    But for some reasons the MD5 hash (Sun MD5 library) provides does not match with the original hash value. It's 22 char long (as I have not specified any salt length) so I am assuming it's Base64 encoded. I have a perl script which converts the original 32-digit hex values to a base64 encoded representation (which I have also verified with other open source tools)
    Is there a way I can tweak CRYPT utility or something so that it understands typical standard MD5 hashes. (Confused between Sun MD5 and BSD (Linux) MD5 - none of them seems to match standard MD5 generated value).
    Any leads on this would be really helpful ?

    Just to reclarify or throw more information:
    a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
    Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
    But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
    {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
    I used below command :
    pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
    Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
    I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
    Thanks,
    Gaurav

  • Migrating Linux shadow-file MD5 passwords to Sun DSEE for Solaris/SunMail

    Hello all,
    We are about to undertake migration of an outdated mail server based on RedHat 7.2 and Sendmail/ipop3d to Sun Messaging Server (JCS6u2). While the filesystem/mail are not a problem, we're stuck at the question of how to best migrate old users' identities.
    The old Linux system used user names and password hashes stored in /etc/passwd and /etc/shadow files. Hashes are mostly MD5 and a few seem like crypt.
    Question is: are there known incompatibilities between password hashes (algorithms, expected format) in Linux and Sun products - Solaris/DSEE/SunMail?
    That is, if we just take strings like these:
    usemd5:$1$Wu7IqFT5$TeUht3OMdeSSBB3Vab4dB.:11262:0:::::134540116
    usecrypt:DD2kEwCD8nies:10220::::::
    Can we simply place the second column as the userPassword attribute in Sun DSEE and expect that users would be able to log in to LDAP-enabled Solaris and Sun Mail with their old passwords knownst only to them?
    If not, is there some simple modification/translation of such hashes to a format accepted by Sun products?
    Or are these formats/algorithms known to be incompatible somehow in a fatal manner, so our only option would be generation of new passwords for Sun DSEE and its clients?
    Thanks,
    //Jim

    Just to reclarify or throw more information:
    a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
    Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
    But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
    {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
    I used below command :
    pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
    Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
    I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
    Thanks,
    Gaurav

  • Sun Management Console doesn't support MD5 passwords?

    I recently converted all our Sun systems to use MD5 passwords, using the Linux-BSD algorithm. I chose the Linux-BSD algorithm for compatibility reasons. After giving root a new password, now stored in MD5 format, I can no longer log in to the Sun Management Console (smc). I had the same problem with DB2. Switching root's password back to CRYPT fixed the issue.
    Is this a known problem that Sun is working on? And how does this happen? Shouldn't the application leave authentication to the OS?
    Mark

    IIRC the Solaris 10 Basic admin guide talks about this issue.
    alan

  • I have changed my password and still can't get homesharing to work. Get the message "Homesharing could not be activated because the account or password was incorrect. It's what I have used to sign in here!

    I  have changed my password and still can't get home sharing to work. Get the message "Home sharing could not be activated because the account or password was incorrect." It's what I have used to sign in here! Any help much appreciated.

    So I reset my Apple ID password. Which then stopped my MobileMe account from working. Hang on - these were 2 different accounts a while ago, with different passwords!!!
    So I have logged back in to MobileMe with my AppleID, and that's working again. After a short wait I can now create Home Sharing again.
    Folks, I think we have just had our Apple IDs merged with our MobileMe accounts!! With no consultation or warning.
    My guess is that this is the most seamless way for Apple to do it, as the vast majority of people use only one email address and one password for everything. Only those of us who had the same email adress but different a different passwords for MobileMe and Apple ID will have noticed. Annoying for us few, but a clever strategy on Apple's part, becasue we have been driven to fix the issue ourselves by chaning the password, and in doing so we have realised that our mobileme account is now the same thing as our Apple ID.

  • LDAP authentication with MD5 passwords

    Hi,
    in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
    I know it is to be done with {crypt} storage scheme.
    This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
    Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
    Thanks in advance,
    Kristof

    Thanks you for your reply.
    Our openldap version is openldap-2.3.39
    And all passwords are encrypted with : Base 64 encoded md5
    Below is a sample password:
    {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

  • Password and i-Tunes 7.0 install

    Dont know if anyone can help , but I need to upgrade to i-Tunes 7.0 because I just purchased a new i-Pod 2GB and I cant remember my administrator password and dont have access to my set up disc at the moment. Does anyone know if there is a way round this please? Thankyou.

    I got it figured out, thanks to a post by b noir (below).
    First thing I did was go into "my computer" to make sure I am logged in as admin with my administrator login and password. If you don't remember your password, then you can change it.
    Then, B noir posted this:
    Re: (IPodService) could not be stopped.
    Posted: Dec 21, 2006 12:10 AM in response to: efg99 Reply Email
    "Service 'Ipod Service' (iPodService) could not be stopped. Verify that you have sufficient privileges to stop system services."
    The solution:
    that can happen sometimes if the itunes installer is having a hard time shutting down either itunes or quicktime (or applications using quicktime) prior to the install. so let's try a "download, restart, then install strategy."
    leave your ipod unplugged.
    download and save a copy of the itunes installer to your hard drive. (do not run the install on line, and do not start the install by clicking on the iTunesSetup.exe (installer) file just yet.)
    iTunes 7.0.2.16 Installer

  • Solaris 10 openldap authentication with md5 passwords

    Hello to everyone,
    We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
    We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
    The error messages when trying to 'su -' to the ldap user are:
    Jun  1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
    Jun  1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
    Jun  1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
    Jun  1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
    Jun  1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
    Jun  1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
    Jun  1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
    Jun  1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
    Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
    Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
    Jun  1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
    Jun  1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
    Jun  1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
    Jun  1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
    Jun  1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
    Jun  1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
    Please feel free to ask for any other configuration file:
    */etc/pam.conf*
    login   auth requisite        pam_authtok_get.so.1
    login   auth required         pam_dhkeys.so.1
    login   auth required         pam_unix_cred.so.1
    login   auth required         pam_dial_auth.so.1
    login   auth sufficient       pam_unix_auth.so.1  server_policy debug
    login   auth required           /usr/lib/security/pam_ldap.so.1 debug
    rlogin auth sufficient       pam_rhosts_auth.so.1
    rlogin auth requisite        pam_authtok_get.so.1
    rlogin auth required         pam_dhkeys.so.1
    rlogin auth required         pam_unix_cred.so.1
    rlogin  auth required          pam_unix_auth.so.1 use_first_pass
    rsh    auth sufficient       pam_rhosts_auth.so.1
    rsh    auth required         pam_unix_cred.so.1
    rsh    auth required         pam_unix_auth.so.1
    ppp     auth requisite        pam_authtok_get.so.1
    ppp     auth required         pam_dhkeys.so.1
    ppp     auth required         pam_dial_auth.so.1
    ppp     auth sufficient       pam_unix_auth.so.1 server_policy
    other   auth sufficient         /usr/lib/security/pam_ldap.so.1 debug
    other   auth required           pam_unix_auth.so.1 use_first_pass debug
    passwd  auth sufficient          pam_passwd_auth.so.1 server_policy
    passwd  auth required           /usr/lib/security/pam_ldap.so.1 debug
    cron    account required      pam_unix_account.so.1
    other   account requisite     pam_roles.so.1
    other   account sufficient       pam_unix_account.so.1 server_policy
    other   account required        /usr/lib/security/pam_ldap.so.1 debug
    other   session required      pam_unix_session.so.1
    other   password required     pam_dhkeys.so.1
    other   password requisite    pam_authtok_get.so.1
    other   password requisite    pam_authtok_check.so.1
    other   password required     pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
    base ou=users,ou=Example,dc=staff,dc=example
    ldap_version 3
    scope sub
    pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
    pam_member_attribute memberUid
    nss_map_attribute uid displayName
    nss_map_attribute cn sn
    pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
    uri ldap://ldapserver01/
    ssl no
    bind_timelimit 1
    bind_policy soft
    timelimit 10
    nss_reconnect_tries 3
    host klnsds01
    nss_base_group         ou=system_groups,ou=Example,dc=staff,dc=example?sub
    pam_password md5*/etc/nsswitch.conf*
    passwd:     files ldap
    group:      files ldap
    hosts:      files dns
    ipnodes:   files dns
    networks:   files
    protocols:  files
    rpc:        files
    ethers:     files
    netmasks:   files
    bootparams: files
    publickey:  files
    netgroup:   files
    automount:  files
    aliases:    files
    services:   files
    printers:       user files
    auth_attr:  files
    prof_attr:  files
    project:    files
    tnrhtp:     files
    tnrhdb:     files*/etc/security/policy.conf*
    AUTHS_GRANTED=solaris.device.cdrw
    PROFS_GRANTED=Basic Solaris User
    CRYPT_ALGORITHMS_DEPRECATE=__unix__
    LOCK_AFTER_RETRIES=YES
    CRYPT_ALGORITHMS_ALLOW=1,2a,md5
    CRYPT_DEFAULT=1Thanks in advance for any response...!!

    Thanks you for your reply.
    Our openldap version is openldap-2.3.39
    And all passwords are encrypted with : Base 64 encoded md5
    Below is a sample password:
    {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

  • MD5 Password Support in DS5.2

    I need to import accounts form an Oracle Directory (OID) to the Sun Directory 5.2p6. The passwords in the accounts use MD5. From what I read, MD5 is supported, but I am not finding how to configure it to work :).
    I do see a plugin called:NS-MTA-MD5, but not just MD5. I tried using NS-MTA-MD5 but that does not work.
    An example MD5 password is: {MD5}SCyBHaXVtLxtSX/6mEkeOA==
    cleartext: password123
    Any help is appreciated.
    Thanks,
    Eric

    There is no default support for an MD5 hashing scheme.
    Provided the algorithm used by Oracle Directory is publicly documented, it should be pretty straightforward to implement a new Password Storage Scheme Plug-in to support both Authentication and hashing new passwords in MD5 format.
    Directory Server ships with a sample plug-in that can be used as a template.
    Regards,
    Ludovic.

  • Password and Blowfish? (Much closer but still need help)

    I'm still trying to decrypt a file encoded with a password-based (PBKDF2) Blowfish cipher. I'm bit further now but starting to run out of ideas. Here is what I have so far:
    // 1. Given a password, build a password-based key and from that build a Blowfish key
    PBEKeySpec kspec = new PBEKeySpec( pwd.toCharArray(), salt, iterationCount, keySize );
    SecretKeyFactory kfact = SecretKeyFactory.getInstance( "PBKDF2WithHmacSHA1" );
    SecretKey sKey = kfact.generateSecret( kspec );
    byte[] keyBytes = sKey.getEncoded(); // Is this right?
    Key bfKey = new SecretKeySpec( keyBytes, "Blowfish" );
    // 2. Given Blowfish key and initialization vector, decrypt the cipherText into plainText
    Cipher cipher = Cipher.getInstance("Blowfish/CFB/NoPadding");
    IvParameterSpec iv = new IvParameterSpec( initVector );
    cipher.init( Cipher.DECRYPT_MODE, bfKey, iv );
    byte[] plainText = cipher.doFinal( cipherText );In a full test bed, this compiles and runs just fine, except that it doesn't appear to decrypt the data as expected.
    More specifically, when I use Cipher.ENCRYPT_MODE to encrypt something like "This-is-a-test" and then decrypt the result with the code above only the first 8 bytes of the result return to plain text, the rest are garbage ("This-is-XXXX...").
    The simple test case, at least, should work perfectly but I'm still missing something crucial. The fact that the first 8 bytes decode fine but not the rest feels like a hint to me, but I'm just not getting what the issue might be as I used the same password, initialization vector, key-, and cipher-types in both directions (encode/decode).
    Help?

    Umm, mea culpa on the encrypt/decrypt test; that part works now (yay!) My core issue remains, however, and that involves getting the OOo document component (content.xml) to decrypt:
    The document meta-data definitely indicates "Blowfish CFB" which I take to mean "Blowfish/CFB/NoPadding".
    What would help me greatly is if someone (perhaps even you, Sabre) could take a look at the following code fragment and tell me if I'm (a) doing something fundamentally wrong here (specifically with the key conversion from PBKDF2 to Blowfish), or (b) if there is an alternative way of doing what I think(hope) I'm doing, which may have different/better results. My trouble is that the decrypt step on the document produces merely binary data (not compressed data which was to come out of the decryption):
    // 1. Create a password-based ("PBKDF2") key, then build a "Blowfish" key from that
        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance( "PBKDF2WithHmacSHA1" );
        PBEKeySpec pbKeySpec = new PBEKeySpec( password.toCharArray(), salt, 1024, 128 );
        SecretKey pbKey = keyFactory.generateSecret( pbKeySpec );
        byte[] encoded = pbKey.getEncoded();
        Key bfKey = new SecretKeySpec( encoded, "Blowfish" );
    // 2. Initialize a specific cipher with the key, and initialization vector
        Cipher bfCipher = Cipher.getInstance( "Blowfish/CFB/NoPadding" );
        IvParameterSpec iv = new IvParameterSpec( initVector );
        bfCipher.init( Cipher.DECRYPT_MODE, bfKey, iv );
    // 3. Decrypt it
        byte[] plainText = bfCipher.doFinal( cipherText );If full code would help, I'll gladly post it, but the above is the distilled core of the thing and probably easier to grok. Thanks!

  • TS2446 i have changed my password and i cant still get on to buy things ??

    what am i doing wrong??

    So I reset my Apple ID password. Which then stopped my MobileMe account from working. Hang on - these were 2 different accounts a while ago, with different passwords!!!
    So I have logged back in to MobileMe with my AppleID, and that's working again. After a short wait I can now create Home Sharing again.
    Folks, I think we have just had our Apple IDs merged with our MobileMe accounts!! With no consultation or warning.
    My guess is that this is the most seamless way for Apple to do it, as the vast majority of people use only one email address and one password for everything. Only those of us who had the same email adress but different a different passwords for MobileMe and Apple ID will have noticed. Annoying for us few, but a clever strategy on Apple's part, becasue we have been driven to fix the issue ourselves by chaning the password, and in doing so we have realised that our mobileme account is now the same thing as our Apple ID.

  • Solaris & MD5 Passwords ?

    Hi!
    We've got a linux NIS domain inhouse, and would like to also integrate our sun boxes to this domain. The Problem is that RedHat Linux uses MD5 encryption for pam password, and it seems that solaris isn't able to encrypt passwords this way...
    Anyone knows a solve, or perhaps a lib which supports md5 ?
    Thanks...
    -- Mirko

    One way of doing this:
    You have a solaris resource adapater configured and is working properly.
    Create a variable and map this variable to the password attribute on the solaris adapater schema mapping.
    Within the form that is used when a create or update is processed, add a field with the name of the 'global.YOURVARIABLE'. Within the expansion of this field select expression and use the <script> tag to use the MD5 password javascript for instance.
    A better way of doing, is putting the <script> in a rule, test the rule, and call the rule from the expansion.
    Good luck!
    Elger.

  • I am locked out of IMAP for want of a password and I don't know what password is required.

    I had an unauthorized attempt to login to my Gmail account which was blocked. Gmail wanted me to change my Google password, which I did. Gmail now works fine, but Thunderbird now asks for:
    "Enter your password for -- [email protected]@imap.gmail.com:" to which I have
    1. Put in the new password several times and gets rejected each time, and
    2. I deleted the old password, as well as the new password, that Thunderbird recorded, several times (The only way to change a password saved by the password manager is to delete it, get prompted for the new password the next time it needs it, and then tell it again to save that password. You can delete the password using Tools -> Options -> Privacy -> Passwords -> View Saved Passwords by selecting the password and then pressing the Remove button). I have been prompted for the new
    password.
    I keep getting the generated tiny reply at the bottom right of my screen" Thunderbird Alert from account [email protected]: Application specific password required: http://support.google.com/accounts/bin/answer=185833 (Failure).
    This question is similar to the gentleman having problems in the Uk/Carribean, but Gmail did not generate me a new password, I did.
    Any new suggestions welcome!

    ''""Enter your password for -- [email protected]@imap.gmail.com:"" ''
    on imap & smtp servers:: Change user name from [email protected] to pvedxxxxx
    Try another client. Perhaps [http://www.seamonkey-project.org SeaMonkey] (requires manual configuration of accounts).
    Since this is IMAP your messages are stored on the server, so the following should not cause you to loose any e-mails. Try the following as a last resort.
    Delete the account from Thunderbird and then add it; starting over from scratch.

  • HT5621 I have 2 email addresses ( 1 mac. and 1 blueyonder.) with separate Apple IDs for each ( again 1 mac and 1 blueyonder). This has consistently given me problems with passwords and I would now like to combine them into one account to help overcome thi

    I have 2 email addresses (1 mac.and 1 blueyonder.) each with separate identities and passwords. I am forever getting asked to verify identity and/or passwords and having these refused and me then having to set up new ones. Can I combine my email addresses to a single Apple Identity and Password? If yes then How?
    Any help much appreciated as this is driving me crazy!

    Depending on what you're asking...
    There is no means to merge Apple IDs.  You can change the mail address assocaited with your Apple ID, so you might switch to using and purchasing from one email address, and using the second as a backup.  (There's no means to merge the purchases, and related baggage.)
    While I'm guessing this was about Apple IDs, for completeness...  Combining the mail messages involving multiple email addresses is separate from the Apple ID; that is usually done with some combination of notifying the senders or with the forwarding of messages from one mail server to the preferred server.  Or running multiple mail accounts in parallel, depending on what you are up to.

  • HT204053 Dear Support Team, every time i tried to logon Icloud its gives me wrong user name or password and at the end it show me error " This Apple ID is valid but is not an ICloud Account" then how can i use one account for same Apple ID and ICloud???

    Dear Support Team,
    Every time i tried to logon Icloud its gives me wrong user name or password and at the end it show me error " This Apple ID is valid but is not an ICloud Account" then how can i use one account for same Apple ID and ICloud?
    Thanks

    It is not possible to create a new iCloud account using a Windows machine. You must create the account using a Mac (10.7.5 or more) or an IOS device (iPhone etc). Once that is done you can sign into and use the account on your Windows machine.

Maybe you are looking for