Is the Windows 8 registry vulnerable to user-password-retrieval-hint attacks? If so, what protections can help...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
defend against such Windows password hint attacks?
Vulnerability researcher Jonathan Claudius, who works for Trustwave's SpiderLabs research team, came across a new key called UserPasswordHint in the Security Accounts Manager (SAM) database in Windows. The SAM database is used by Windows to help manage user accounts and is implemented as a registry file. Further investigation with co-researcher Ryan Reynolds of consulting firm Crowe Horwath enabled them to extract and decode user password hints from the Windows registry. They then updated one of the modules in the open source Metasploit penetration testing toolkit to automate the collection of user password hints from the SAM database in Windows 7 and 8 systems.
There are already established methods for discovering a user's password hint. For example, if you have access to the physical machine, you can easily guess a username and obtain the associated hint by entering an incorrect password. The SAM database vulnerability is alarming because it enables an attacker to steal password hints en masse. Now all the hints on a system can be obtained remotely as part of a post-exploitation process. Password hints are obviously valuable to a would-be attacker because they give a clue as to what a user's password may be, allowing it to be deduced more quickly.
Access to password hints is required before a user can login. Password hints aren't supposed to be a total secret; they assist users when they forget a password. However, password hints are useful for hackers, so they need to be used with care.
An enterprise password policy should state that password hints only have meaning for the user. A password hint should not be so explicit that another person can guess the password. It's a hint, not an obvious clue. Alternatively, password hints can be prohibited, but this may well result in more password reset requests for the help desk. Empty password hints are not allowed, but standard text such as ‘Please call help desk' could be used instead of an actual hint. The best mitigation of this risk is to enforce a strong password policy.
Ask the expert!
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
Dig Deeper on Windows Security: Alerts, Updates and Best Practices
Related Q&A from Michael Cobb
Microsoft is banning weak passwords on many of its services with the Smart Password Lockout feature. Expert Michael Cobb explains how it works, and ...continue reading
A malicious app called Black Jack Free was able to bypass Google Play's app store security. Expert Michael Cobb explains the threat and how ...continue reading
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.