Our recent feature on the growing vulnerability of passwords chronicled the myriad ways crackers extract clues used to guess other people's login credentials. Add to that list a password reminder feature built in to recent versions of Microsoft's Windows operating system.
It turns out the password clues for Windows 7 and 8 are stored in the OS registry in a scrambled format that can be easily converted into human-readable form. That information would undoubtedly be useful to hackers who intercept a cryptographic hash of a targeted computer, but are unable to crack it. Jonathan Claudius, the SpiderLabs vulnerability researcher who documented the new Windows behavior, has written a script that automates the attack and added it to Metasploit, an open-source toolkit popular among whitehat and blackhat hackers alike.
The clue is added to the OS registry when users configure a Windows account to provide a hint about the password needed to access it. When he first saw the long string of letters and numbers that stored the hint, he thought it had been encrypted. Upon further examination, he learned that an eight-line Ruby script quickly decoded the text chunks.
"Although this stuff looked a bit unreadable on the surface we can now see that it can clearly be decoded and could be used by tools that extract the information from the SAM," he wrote, referring to the "security accounts manager" section of the registry. "This seems like it would be very helpful for penetration testers by giving them more insight into what the user's password might be, so I decided to take it one step further."
The hints are available to anyone who has physical access to a targeted PC, as Microsoft makes clear during the configuration or modification of a Windows account. But until now, those hints provided no help to hackers who use a drive-by website exploit or other similar attack to extract only the underlying password hashes. And that's where techniques like these come in. By revealing the password hint the user selected when creating the account, it could provide valuable clues such as "My favorite color" or "My first car" that make all the difference.
Microsoft officials didn't immediately provide comment for this story.
Listing image by Dan Goodin
reader comments
120