Is the Windows 8 registry vulnerable to user-password-retrieval-hint attacks? If so, what protections can help...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
defend against such Windows password hint attacks?
Vulnerability researcher Jonathan Claudius, who works for Trustwave's SpiderLabs research team, came across a new key called UserPasswordHint in the Security Accounts Manager (SAM) database in Windows. The SAM database is used by Windows to help manage user accounts and is implemented as a registry file. Further investigation with co-researcher Ryan Reynolds of consulting firm Crowe Horwath enabled them to extract and decode user password hints from the Windows registry. They then updated one of the modules in the open source Metasploit penetration testing toolkit to automate the collection of user password hints from the SAM database in Windows 7 and 8 systems.
There are already established methods for discovering a user's password hint. For example, if you have access to the physical machine, you can easily guess a username and obtain the associated hint by entering an incorrect password. The SAM database vulnerability is alarming because it enables an attacker to steal password hints en masse. Now all the hints on a system can be obtained remotely as part of a post-exploitation process. Password hints are obviously valuable to a would-be attacker because they give a clue as to what a user's password may be, allowing it to be deduced more quickly.
Access to password hints is required before a user can login. Password hints aren't supposed to be a total secret; they assist users when they forget a password. However, password hints are useful for hackers, so they need to be used with care.
An enterprise password policy should state that password hints only have meaning for the user. A password hint should not be so explicit that another person can guess the password. It's a hint, not an obvious clue. Alternatively, password hints can be prohibited, but this may well result in more password reset requests for the help desk. Empty password hints are not allowed, but standard text such as ‘Please call help desk' could be used instead of an actual hint. The best mitigation of this risk is to enforce a strong password policy.
Ask the expert!
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
Dig Deeper on Microsoft Windows security
Related Q&A from Michael Cobb
Android for Work's sandboxing tools, which split work and personal profiles, can be bypassed with a proof-of-concept attack. Expert Michael Cobb ...continue reading
Yahoo claimed a vulnerability in its email service enabled attackers to use forged cookies to gain access to user accounts. Expert Michael Cobb ...continue reading
A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.