Q

Adjust security policies to combat Windows password hint attacks

Researchers have revealed potential Windows user password hint vulnerabilities. Expert Michael Cobb discusses how to address such attacks in policies.

Is the Windows 8 registry vulnerable to user-password-retrieval-hint attacks? If so, what protections can help defend against such Windows password hint attacks?

Ask a Question

SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at editor@searchsecurity.com.

Vulnerability researcher Jonathan Claudius, who works for Trustwave's SpiderLabs research team, came across a new key called UserPasswordHint in the Security Accounts Manager (SAM) database in Windows. The SAM database is used by Windows to help manage user accounts and is implemented as a registry file. Further investigation with co-researcher Ryan Reynolds of consulting firm Crowe Horwath enabled them to extract and decode user password hints from the Windows registry. They then updated one of the modules in the open source Metasploit penetration testing toolkit to automate the collection of user password hints from the SAM database in Windows 7 and 8 systems.

There are already established methods for discovering a user's password hint. For example, if you have access to the physical machine, you can easily guess a username and obtain the associated hint by entering an incorrect password. The SAM database vulnerability is alarming because it enables an attacker to steal password hints en masse. Now all the hints on a system can be obtained remotely as part of a post-exploitation process. Password hints are obviously valuable to a would-be attacker because they give a clue as to what a user's password may be, allowing it to be deduced more quickly.

Access to password hints is required before a user can login. Password hints aren't supposed to be a total secret; they assist users when they forget a password. However, password hints are useful for hackers, so they need to be used with care.

An enterprise password policy should state that password hints only have meaning for the user. A password hint should not be so explicit that another person can guess the password. It's a hint, not an obvious clue. Alternatively, password hints can be prohibited, but this may well result in more password reset requests for the help desk. Empty password hints are not allowed, but standard text such as ‘Please call help desk' could be used instead of an actual hint. The best mitigation of this risk is to enforce a strong password policy.

This was first published in February 2013

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close