Is the Windows 8 registry vulnerable to user-password-retrieval-hint attacks? If so, what protections can help...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
defend against such Windows password hint attacks?
Vulnerability researcher Jonathan Claudius, who works for Trustwave's SpiderLabs research team, came across a new key called UserPasswordHint in the Security Accounts Manager (SAM) database in Windows. The SAM database is used by Windows to help manage user accounts and is implemented as a registry file. Further investigation with co-researcher Ryan Reynolds of consulting firm Crowe Horwath enabled them to extract and decode user password hints from the Windows registry. They then updated one of the modules in the open source Metasploit penetration testing toolkit to automate the collection of user password hints from the SAM database in Windows 7 and 8 systems.
There are already established methods for discovering a user's password hint. For example, if you have access to the physical machine, you can easily guess a username and obtain the associated hint by entering an incorrect password. The SAM database vulnerability is alarming because it enables an attacker to steal password hints en masse. Now all the hints on a system can be obtained remotely as part of a post-exploitation process. Password hints are obviously valuable to a would-be attacker because they give a clue as to what a user's password may be, allowing it to be deduced more quickly.
Access to password hints is required before a user can login. Password hints aren't supposed to be a total secret; they assist users when they forget a password. However, password hints are useful for hackers, so they need to be used with care.
An enterprise password policy should state that password hints only have meaning for the user. A password hint should not be so explicit that another person can guess the password. It's a hint, not an obvious clue. Alternatively, password hints can be prohibited, but this may well result in more password reset requests for the help desk. Empty password hints are not allowed, but standard text such as ‘Please call help desk' could be used instead of an actual hint. The best mitigation of this risk is to enforce a strong password policy.
Ask the expert!
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
Dig Deeper on Windows Security: Alerts, Updates and Best Practices
Related Q&A from Michael Cobb
Google has added Linux kernel memory protection and other security measures to the Android OS. Expert Michael Cobb explains how these features work ...continue reading
The HummingBad malware has infected 10 million mobile devices worldwide. Expert Michael Cobb explains how this exploit enables click fraud and other ...continue reading
A full account access OAuth token was mistakenly issued to the Pokémon GO mobile game by Google. Expert Michael Cobb explains the security risks and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.