New features designed to make it easier to log into Windows 8 accounts allow encrypted passwords to be converted into plaintext in some cases, security researchers said.
The features, which allow people to sign in with a picture-based password and four-digit personal identification number, are intended to provide a less-cumbersome alternative to entering a password each time users want to access their account. Once people have set up a password for an account, they can use pictures or PINs to log in from then on.
But the added convenience comes at a cost. According to security experts who have tested the features in developer pre-releases of the upcoming Microsoft operating system, the features cause Windows 8 to store passwords using encryption that can be reversed. Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives. The latest version of Windows Password Recovery, a password-cracking package sold by Russia-based Passcape Software, claims to do just that.
To be sure, decrypting the underlying authentication password that corresponds to a PIN or picture isn't possible in many situations. That's because it's stored in a "system vault" that's protected by the Windows 8 Data Protection API using the Advanced Encryption Standard algorithm. The key that unlocks the password, however, is easily extracted by users who have administrative control of the computer, allowing them to recover the plaintext passwords of any accounts that use the alternative login features. Security experts said that represents an increased risk over the use of cryptographic hashes to store passwords, because hashes are impossible to mathematically reverse.
"The single biggest risk I see is the likelihood of password reuse because people are really bad about choosing good passwords and they tend to reuse what they have over and over again," said security researcher Adam Caudill. "You can use this in a targeted attack against a person and take the knowledge that you gain there to pivot... attacking online services, anything from Dropbox accounts to Facebook. There's a fairly decent chance they're going to use the same password or a very similar password."
Ars chronicled the epidemic of password reuse and the growing insecurity of passcodes in a recent feature titled Why passwords have never been weaker—and crackers have never been stronger.
There are cases where it's possible for attackers to gain access to administrative accounts on lost or stolen laptops, and in those cases the encrypted passwords could be easily decrypted, said Per Thorsheim, a security adviser for a large company headquartered in Norway and an organizer of the upcoming Passwords^12 conference in Oslo. In cases where an unattended computer is left in sleep or hibernation modes, for example, passwords are sometimes not required to reactivate them.
The use of reversible encryption is an infinitely better alternative to plaintext for storing passwords, but security experts have long regarded it as inferior to password hashes, which are practically impossible to crack when users choose truly secure passwords. While the new features aren't exactly a security vulnerability, they would seem to go against Microsoft's Defense in Depth mantra.
A Microsoft spokeswoman declined to respond to questions about whether company officials think the features should be used by corporate customers and in environments where security is key. Posts in user forums such as this one seem to suggest that Picture Password no longer works when logging into corporate or government networks, so it's possible Microsoft has already recognized the diminished security of such conveniences.