Is the Windows 8 registry vulnerable to user-password-retrieval-hint attacks? If so, what protections can help defend against such Windows password hint attacks?
Ask a Question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at email@example.com.
Vulnerability researcher Jonathan Claudius, who works for Trustwave's SpiderLabs research team, came across a new key called UserPasswordHint in the Security Accounts Manager (SAM) database in Windows. The SAM database is used by Windows to help manage user accounts and is implemented as a registry file. Further investigation with co-researcher Ryan Reynolds of consulting firm Crowe Horwath enabled them to extract and decode user password hints from the Windows registry. They then updated one of the modules in the open source Metasploit penetration testing toolkit to automate the collection of user password hints from the SAM database in Windows 7 and 8 systems.
There are already established methods for discovering a user's password hint. For example, if you have access to the physical machine, you can easily guess a username and obtain the associated hint by entering an incorrect password. The SAM database vulnerability is alarming because it enables an attacker to steal password hints en masse. Now all the hints on a system can be obtained remotely as part of a post-exploitation process. Password hints are obviously valuable to a would-be attacker because they give a clue as to what a user's password may be, allowing it to be deduced more quickly.
Access to password hints is required before a user can login. Password hints aren't supposed to be a total secret; they assist users when they forget a password. However, password hints are useful for hackers, so they need to be used with care.
An enterprise password policy should state that password hints only have meaning for the user. A password hint should not be so explicit that another person can guess the password. It's a hint, not an obvious clue. Alternatively, password hints can be prohibited, but this may well result in more password reset requests for the help desk. Empty password hints are not allowed, but standard text such as ‘Please call help desk' could be used instead of an actual hint. The best mitigation of this risk is to enforce a strong password policy.
This was first published in February 2013