Vulnerability found in Windows that makes your password easier to guess

If you use Windows 7 or the newly released Windows 8, and like to password your account, this might be worrying news for you. It's been revealed that recent Windows OS' store password hints in such a way that makes it almost effortless for a remote user to decrypt them, potentially making it easy for them to guess your password.

According to an article at Ars Technica, Windows stores the password clues in the OS registry in a scrambled form which can worryingly be converted to a straightforward and readable format. This specific vulnerability would be useful for a remote hacker who has perhaps intercepted a cryptographic hash of the targetted computer in question.

The vulnerability was recently found by a SpiderLabs researcher named Jonathan Claudius, who posted an automated script and posted it to a website called Metasploit, which specialises in Penetration Testing Software. He says that "although this stuff looked a bit unreadable on the surface we can now see that it can clearly be decoded and could be used by tools that extract the information from the SAM."

To put this in perspective, the security flaw allows a hacker to gain access to the password hint that a user has set, only through initiating a different attack beforehand. The user's actual password is never decrypted, but this vulnerability does make it easier to guess for a remote user wanting to gain access. It is worrying however, that the information was apparently gained through an only eight-line Ruby script which decoded the text.

Microsoft have yet to comment on the discovery of this latest vulnerability to Windows account security.

Source: Ars Technica | Image via SpiderLabs

Report a problem with article
Previous Story

Report: Nokia to unveil two Windows Phone 8 devices Sept. 5

Next Story

Microsoft updates its logo for the first time in 25 years

43 Comments

Commenting is disabled on this article.

Security hints are displayed immediately after you have entered a wrong password for particular account, available for reading to all who have access to your computer, how's this a security vulnerability?

WOW, SO AMAZING.
The fact it's metasploit shows you how much this news is worth; nothing. Just about the same as what metasploit is worth.

This is pointless? The hint is easily accessable anyway, this is only useful as a "remote" attack and, as the author has already pointed out, you need some form of hack before it's doable. There's many other, better things to do in that case such as installing a keylogger or better yet, removing one of the accessibility tools and replacing it with the cmd prompt that will then gain fill admin privileges along with the ability to create and reset user accounts.

Peter van Dam said,
What I find more annoying is the ability to launch the pc with a linux-based OS, and find the users password just under 3 minutes.

Hooray for backwards compatibility
Its not like MS doesn't know how to encrypt passwords which take a billion years on all the worlds PS3's combined to decrypt.

Why are we making a problem of this? its a hint? does the hint also needs a password so you can see the hint?

I've never setup a hint for my account. If I setup anything it's security questions.. to allow access to the account, but no hints for guessing the password.

So...Windows stores the hints in a format that makes it easy to decrypt. No kidding. How else would Windows decrypt them when you need to remember your password?

Passwords can be hashed using secure functions because you never decrypt them, hints cannot.

Aethec said,
So...Windows stores the hints in a format that makes it easy to decrypt. No kidding. How else would Windows decrypt them when you need to remember your password?

Passwords can be hashed using secure functions because you never decrypt them, hints cannot.

This is anything but true. They could have encrypted it.

Right now it's just a binary value that is a UTF-16 encoded string. They could have done way more. That's not to say it was necessary though.

On MacOS you can view all account hints...

dscl . -readall /users AuthenticationHint

This only affects local accounts. Domain accounts have no hint.
Like previously stated, if you have something other than home version. Who uses the "User accounts" tool in control panel to create accounts anyway? I don't think I've ever used it.

Yes, being able to remotely access the password hint isn't a good thing, but I can't see this being a significant problem. Does anyone really use the hint? I guess some people do. However, many other factors will need to exist in order to make this really exploitable. Not only will you need to crack the hint, then guess the password, but you also need remote access to the system (RDP or otherwise). As a security guy, I don't like this, but find it hard to believe that this will cause many issue realistically.

FarCry3r said,
I thought such hints are already visible on the logon screen? What's so new about this?

True, but this vulnerability allows remote users to see the hint. What's visible on the login screen isn't what hackers usually see.

Stefano Elia said,

True, but this vulnerability allows remote users to see the hint. What's visible on the login screen isn't what hackers usually see.


I'm no hacker, but I believe if they have access to the system, they can also put alongside some payload so that it runs with the logon application.

Stefano Elia said,

True, but this vulnerability allows remote users to see the hint. What's visible on the login screen isn't what hackers usually see.

Actually, that's not true, and this isn't a vulnerability. To take advantage of this, you need to have SYSTEM-level access (basically su, for you Linux people), at which point you've already got enough privilages that you would have absolutely no use for sniffing around password hints anyway.

Here's the blog post from the people who found this: http://blog.spiderlabs.com/201...hints-are-belong-to-us.html

Even if this wasn't the case, I don't see the problem - hints should be considered public information, and it's not Microsoft's fault if someone just puts, say, their actual password in their hint.

Edited by MarkKB, Aug 23 2012, 10:43pm :

if i feel uneasy I put a hint like, who is superman, something that has nothing to do with the password but will job my memory to what it could be. maybe is ferrari, taken from the red cape ...

doesn't hint appear on first wrong password entered anyway? also it probably doesn't work on liveID enabled accounts.

x.iso said,
doesn't hint appear on first wrong password entered anyway? also it probably doesn't work on liveID enabled accounts.
I'm quite sure that you have a "hint" system on MS accounts.

Windows 8 does not support hints for Microsoft accounts; you are instead asked to supply a mobile number, secondary email address, etc. for recovery purposes.

Arkose said,
Windows 8 does not support hints for Microsoft accounts; you are instead asked to supply a mobile number, secondary email address, etc. for recovery purposes.

This, they'll send you a txt message with a code you can use.

If you're using a non-Home version of Windows, you can use Computer Management to create user accounts and set passwords without the need to enter a hint.

IronChef75 said,
If you're using a non-Home version of Windows, you can use Computer Management to create user accounts and set passwords without the need to enter a hint.

Windows also accepts a blank space for a hint

Neobond said,
Remotely?
Obtain password hash. Not easy on Win7-8. Then have console access to the machine to dump the SAM or physical access to the HD to mount and dump the SAM. Yep, remotely

Auzeras said,

False trail: Password: Onions
Hint: A small pigeon


This, false hints work best. I usually pick something 'My favorite cow in the world' or similar