Windows 8 features make account passwords easier to steal

Windows 8 logoNew features designed to make it easier to log into Windows 8 accounts allow encrypted passwords to be converted into plaintext in some cases, security researchers said.

The features, which allow people to sign in with a picture-based password and four-digit personal identification number, are intended to provide a less-cumbersome alternative to entering a password each time users want to access their account. Once people have set up a password for an account, they can use pictures or PINs to log in from then on.

But the added convenience comes at a cost. According to security experts who have tested the features in developer pre-releases of the upcoming Microsoft operating system, the features cause Windows 8 to store passwords using encryption that can be reversed. Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives. The latest version of Windows Password Recovery, a password-cracking package sold by Russia-based Passcape Software, claims to do just that.

To be sure, decrypting the underlying authentication password that corresponds to a PIN or picture isn't possible in many situations. That's because it's stored in a "system vault" that's protected by the Windows 8 Data Protection API using the Advanced Encryption Standard algorithm. The key that unlocks the password, however, is easily extracted by users who have administrative control of the computer, allowing them to recover the plaintext passwords of any accounts that use the alternative login features. Security experts said that represents an increased risk over the use of cryptographic hashes to store passwords, because hashes are impossible to mathematically reverse.

"The single biggest risk I see is the likelihood of password reuse because people are really bad about choosing good passwords and they tend to reuse what they have over and over again," said security researcher Adam Caudill. "You can use this in a targeted attack against a person and take the knowledge that you gain there to pivot... attacking online services, anything from Dropbox accounts to Facebook. There's a fairly decent chance they're going to use the same password or a very similar password."

Ars chronicled the epidemic of password reuse and the growing insecurity of passcodes in a recent feature titled Why passwords have never been weaker—and crackers have never been stronger.

There are cases where it's possible for attackers to gain access to administrative accounts on lost or stolen laptops, and in those cases the encrypted passwords could be easily decrypted, said Per Thorsheim, a security adviser for a large company headquartered in Norway and an organizer of the upcoming Passwords^12 conference in Oslo. In cases where an unattended computer is left in sleep or hibernation modes, for example, passwords are sometimes not required to reactivate them.

The use of reversible encryption is an infinitely better alternative to plaintext for storing passwords, but security experts have long regarded it as inferior to password hashes, which are practically impossible to crack when users choose truly secure passwords. While the new features aren't exactly a security vulnerability, they would seem to go against Microsoft's Defense in Depth mantra.

A Microsoft spokeswoman declined to respond to questions about whether company officials think the features should be used by corporate customers and in environments where security is key. Posts in user forums such as this one seem to suggest that Picture Password no longer works when logging into corporate or government networks, so it's possible Microsoft has already recognized the diminished security of such conveniences.

Source: Ars Technica

Tags: Microsoft, OSes, security, Windows 8

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (16)