Windows vulnerability allows hackers to remotely extract password hints (the reminders you use for Windows account passwords)

Do you have a password set to protect your Windows account? If you do, then more likely than not you setup a reminder hint to help you remember the password in case you ever forget. Microsoft claims this password hint is only accessible to someone physically accessing a Windows PC, meaning to see the hint you would have to be in front of the computer you are trying to hack. According to¬†Jonathan Claudius, a security researcher at Trustwave’s SpiderLabs, there is an exploit hackers can use to remotely access the password reminder hints users set for Windows passwords.

The exploit revolves around Microsoft’s decision to store the password hint in the Windows registry in a cryptographically weak manner. According to Claudius, password hints are stored in a humanly unreadable form but are easily decoded using a simple decode algorithm. Anyone that has access to a password hint hash can decode the hash to reveal the password hint, which in turn would aid hackers (whitehat and blackhat) in guessing the password that protects the Windows PC.

It should be noted that breaking or bypassing a Windows user account password is an easy task if you have physical access to the machine, using tools such as Offline NT Password & Registry Editor or Ophcrack. What makes this vulnerability particularly worrisome is anyone, through the use of various different hacking techniques, can remotely intercept the password hint hash and decode it. Note the emphasis on “remotely” — the ability to figure out the password hint without ever physically touching the computer in question.

Claudius confirms this vulnerability exists in Windows 7 and Windows 8; both these operating systems store the password hint hash at the HKLM\SAM\SAM\Domains\Account\Users\<userkey>\UserPasswordHint registry location. While he doesn’t provide details, Claudius acknowledges that this vulnerability exists in Windows XP, too, although the password hint hashes are stored in a different location in the registry. My guess is since it exists in Windows XP and Windows 7, Windows Vista is probably also affected.

Now some people may argue why is this a big deal. Remotely decoding password hints? So what! They aren’t getting access to the passwords. Calm down, bro. This vulnerability may not be as significant as a remote password hack but it is still very important because it opens up an attack vector that was previously unknown. Microsoft needs to patch this… the sooner, the better.

[via ArsTechnica]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

11 comments

  1. mukhi

    this is why oracle database seems to be so better. unlike windows, you can not find “location” of the data/file.

    i don’t use any password hint but if i ever do, i will probably do what Mags does (i do that for my passwords).

  2. Frank

    @Frank:
    a useful use: As a decoy. To attempt the attacker to brute force senseless passwords until account lock steps in.

    BTW: These stupid M$ guys do not write an account lock to disk. So after a reboot you have the same amount of tries as before. And after the next reboot. And after…

  3. Mags

    Point 1: I use a password that no one would ever think that I would use.

    Point 2: My hint is also something that no one would have any idea as to what it is, nor give them any idea as to what my password is.

    It only makes sense to me, but no one else would understand what it is.