back to article Password hints easily snaffled from Windows PCs

Punters' password hints are easily extracted from the latest Microsoft Windows machines, security researchers have discovered. TrustWave SpiderLabs uncovered a key called "UserPasswordHint" during wider research into how the Redmond operating system stores password hashes. Subsequent studies showed it was easy to extract and …

COMMENTS

This topic is closed for new posts.

Page:

Facepalm

Considering passwords hints are displayed intentionally...

...does this really matter?

16
0
HMB

Coffee Easily Snaffled from Coffee Machine

In reply... No, it doesn't matter.

4
0
Anonymous Coward

Re: Considering passwords hints are displayed intentionally...

Not to mention if you can get the password hint using a script, you've presumably already got access to the system to run the script in the first place.

3
0
Anonymous Coward

Re: Considering passwords hints are displayed intentionally...

Yes it does.

Without the script you have to physically be at the machine to get the password hint. With it you don't

This means that if somebody can get you to execute a script (and that never happens does it?) they can get at the hint to help crack your password.

Having said that it is difficult to see how they could hide the hint. It's not as if they could get the user to enter a password to show the hint for the forgotten password...

0
2
Silver badge

Re: Considering passwords hints are displayed intentionally...

I'm always up for a bit of MS bashing but no, in this case this is a total non-issue.

The whole thing is nothing more than an attempt at publicity seeking by a security firm. I'm surprised it was Graham Cluley really.

4
0
Anonymous Coward

@AC 23rd August 2012 17:53 GMT

"This means that if somebody can get you to execute a script (and that never happens does it?) they can get at the hint to help crack your password."

Then why stop at a script to get the hint? They could just have you install a keylogger and get the password directly. They could also get you to install software so they have access to the PC.

1
0
Bronze badge

Which is exactly why my password hint is "Piss off!"

3
0
Anonymous Coward

I also do similar.

0
0
Silver badge

I like something a little more subtle... " Rhymes with Duck"

0
0

Re: I like something a little more subtle...

I use 8 asteroids (i.e. ********)

2
0
Silver badge
Thumb Up

Re: I like something a little more subtle...

From now on I am going to call them 'asteroids' too! I like it!!

3
0
Bronze badge

Good

My password hints are always something pointing miles away from my passwords and some random maths. That way they waste their time and can do their maths homework at the same time.

0
0
Stop

Who cares?

If your password hint is so weak (and by that I mean revealing) that the average person would be able to guess your password from the hint alone, then a physical attacker will guess it just the same.

Besides, if some haxor has access to your machine, then you have worse things to worry about. Who cares about something that is already available to anyone who enters your password incorrectly a few times.

2
0
WTF?

re "You might want to encrypt that"

What do you suggest it's encrypted with? given that the point is to display it without the user entering their password of course (chicken and egg).

5
0
Bronze badge

Re: re "You might want to encrypt that"

4-D octascopic eyewear tuned JUST to your own retina pattern and eye-brain-stem electrical patterns.

Enter the wrong word too many times, and the infiltrator is end-fill-traded, or quadrapalegicized.... That'll teach those who have direct access with nefarious intentions...

(OTOH, this might be a way for prison wardens to outsource select convicts and thin out their prisons. Or, might be a way for people to pay off their debts to society. Or, for crooked execs to serve time. hack the worng cmopteur, thye severe theri onw bainr stme....)

(Gttoa dluit ym cofefe...)

0
0

Bit of a non story

So when sitting at the login screen you can display the password hint.

The only time encrypting the hints would be any use is if the usernames on the machine where also encrypted.

Otherwise you can type the username and then click display hint.

It's as bas as the bloody pen testers who don't understand hardware encryptors on WAN links

0
0
FAIL

Surely if an intruder has got as far as to access the password hints in the registry then the damage is already done!!!

6
0
Silver badge
FAIL

Surely if an intruder has access the password hints then the damage is already done!!!

Not if the hints are on a shared system. If you must have hints, they should probably be separated from the systems which control access.

The problem is that hints make things less secure, which is probably not an issue for individuals with machines at home, but introduce the facility to an enterprise and you've got thousands of hints for an admin to go through.

This is a problem for non-repudiation. An admin can mess with data but that leaves an audit trail. If they can narrow the odds with hints and login using someone-else's username and password, that is a major security issue. Login as another user, fire up Outlook and send a cryptographically-signed email to a third party, divulging company secrets and booking an entire brothel for the finance group Christmas party.

That said, instead of asteroids, you could use zero's, which given the padding, would be amusing in a nerdy way.

Let's hope its off by default. I hope the drive to reduce password reset work doesn't override security considerations.

0
0
Linux

I tend to treat the password hint field with contempt, much like the title field on these comment forms. Not much to gain from examining the registry on my machines.

2
3
Silver badge
Trollface

I'd be interested to know how relevant the penguin is to your registry. If you've managed to install a linux registry then I have to ask a) why and b) what the hell is wrong with you?

Wait, aren't you the guy who always says how horrible all Microsoft products are? And YOU have a registry?

Hahahahahahaha

2
3
Trollface

"Wait, aren't you the guy who always says how horrible all Microsoft products are?" -- I wouldn't go that far, I have a Microsoft mouse that seems to work, other than that... besides, my distaste for Microsoft's software gives people like you a reason to use the troll icon otherwise you may have to resort to the drunken tramp icon indefinitely.

It also may surprise you to learn that I do operate a Windows based PC, for the sole purpose of running steam (hopefully this will change in the near future)

Penguin Icon, partly because Penguins are cute and partly because I was on auto-troll when I wrote the comment and used my favoured icon.

0
0
Silver badge
Trollface

Linux has a "registry".

It's just called "/etc" and is spread amongst a bajillion and one files.

Cue pedants and irate flamers in 3, 2, 1...

3
2
Silver badge
Boffin

Wonderful

So why are you even bothering to post comment on here then when it so clearly doesn't affect you....

I've said it before; "A wise man speaks because he has something to say" Fanbois speak because they have to say something....

5
2
Bronze badge

Re: Linux has a "registry".

No, you're thinking of GConf.

3
0
Silver badge
Linux

Re: Linux has a "registry".

Hey! At least our registry keys aren't called "{23453563456345-634563456-3456-4356-3456-345634563456-34563456}"!

We don't randomly copy bits of them from HKLOCALMACHINE to CURRENTCONTROLSET or whatever either.

Its also far smaller and usually documented inline too. It is actually possible to understand the contents of /etc.

Personally though, I prefer the $APPHOME, system, with etc, bin, data under that. The desktop is inherently complex, but there is no excuse for mixing server application data with system data. Whatever you say about the Lotus Notes desktop, the server end is dead easy to migrate (or at least it used to be) on linux.

Much of those millions spent on corporate vmware is to wrap up apps into an easily movable bundle, because you have no idea what the application really needs and what data it stuck where in the registry.

3
0

This post has been deleted by its author

Silver badge

Total non story

The password hint is displayed unencrypted at a login prompt after a failed login!!!!!!!!

Why bother with a script that reads it from the registry?

This is why password hints should never actually tell you the password.

0
0
Facepalm

A l33t hax0r can also view password hits by entering an incorrect password on said PC.

5
0
Flame

Basic error in the system!

In the beginning there was no password, just turn on the computer. Then someone decided that a standalone desktop in a one-person office and unconnected to anything other than the AC mains needed a password mostly because the "big guys" use passwords. So I have to tell myself I am me before I can work. Every day for almost 20 years. And I am cautioned not to write it down.

Fast forward to now (i.e. Spaceballs recursion scene) - passwords for all kinds of things many of which don't need protection from anything - and the passwords expire every three months and have to be reset, use nonsense strings, non-ASCII characters, at least eight letters four numbers mix upper and lower case - and tell me, I dare you - that you can REMEMBER all of them . . . so we put them into our browser, and when it crashes (what? browsers CRASH??) all the passwords are now gone and you get to start again, reset everything, all the hints, all the passwords, all the access codes, the works. And remember, don't write it down because someone might read it. Oh yeah, and NEVER use the same password for everything. So we have to memorize multiple and constantly changing streams of random letters (UC & LC) and numbers, each one of which is different for each and every password protected site we go to . . . and we are cautioned not to make the password socially engineerable by using anything we CAN remember, like our wife's name or whatever.

The result is that we HAVE to write it down - we wind up with a yellow pad with ALL the passwords and the sites they access so that when the magic electrons won't cooperate today, we can still use our computers.

We need a reset on authentification procedures - we need a better way to determine that we are who we say we are, something that doesn't need long lists of random characters which change, are easily mistyped, and cannot be remembered unless you . . . write them down . . . and keep the list somewhere convenient (i.e. near the computer), which sort of defeats the whole purpose, doesn't it?

Ok, if we're so smart, how about we figure out a way to fix this mess? The paradigm (had to use that word, this is after all a computer related discussion) of user name plus password is BROKEN and does not work if the poor user (who paid for all this junk and just wants to use the computer) doesn't have a photographic memory or a USB socket in the back of the skull to plug in the dongle with the passwords on it.

6
2
Bronze badge
Stop

Re: Basic error in the system!

We need a single authentication system.

Problem is, business politics have ensured that there are currently multiple authentication systems that compete to be "the one".

0
0

Re: Basic error in the system!

Sez it all.

Microsoft tried to solve this with "Passport" - it went nowhere, largely because people didn't want MS in control. Something like this is desperately needed - but as we now know, any company providing this service becomes a target of attack, and it's only a matter of time...

0
1
Silver badge
Facepalm

It depends...

... if your password "hint" is "My Password is wordPass"...!

1
0
Silver badge
Joke

@Graham

Yeah, that'd be stupid. I simply use: "My password is NOT 12345".

2
0
Trollface

Re: @Graham

12345? Amazing. That's the same combination I've got on my luggage!

2
0
Bronze badge
Joke

Re: NOT 12345

Nothing like a bluff to confuse everyone, shame the hint isn't displayed when there is just one more attempt before your account is disabled, you can just imagine some would be hacker trying to figure out if you are thick/irreverent, bluffing, double bluffing, triple bluffing ....

2
0
Coat

Re: @Graham

so your password is 53190 then?

1
0
Anonymous Coward

If I had such a thing as a password hint, it might be something like:

"The police are on their way."

1
0

Once physical access is granted

you're toast....... as MS own rescue CD contain a locksmith app. no need to password hint.... just reset it..... take longer to boot from the CD then to unlock the password

0
2
Facepalm

Re: Once physical access is granted

Doesn't work for the encrypted folders though...

1
0
Silver badge

Re: Once physical access is granted

and we can see an admin reset your password. Red flags all round and you're off the hook for subsequent dodgy stuff. :p

0
0
Silver badge

It's the same deal as the "what is your first pet's name?" questions...typing anything close to truth in the box increases your vulnerability.

0
0
Bronze badge

How?

How can anyone guess your first pet? Only close friends could do that, and if you suspect them of hacking an account, there's worse to deal with because they already have physical access. ;)

Well, "Where were you borne" could be a big problem, public records and all that. :(

0
1
Silver badge
Pint

Re: How?

Just for my edification, use $Google to search for 'my first pet' or 'my favorite teacher' or any other standard password reset type of question and tell me that the 'net isn't full of easy-to-find answers.

Here's a drink, because you're going to want one.

1
0

Re: How?

"Only close friends could do that"

Except that it wouldn't be at all unusual to be able to look back a few years on someone's Facebook and find the "Here's Schinkenstern running around in his little plastic ball" vids. And there's more than a few people in my area who know the name of my first pet, because I've met them whilst walking the aforesaid puppy. Of course that means I wouldn't be stupid enough to use the dog's name as a password, but I'm sure there are people who would.

Come to that, mother's maiden name is a particularly stupid choice of security measure too, given that there's an absolute ton of ancestry sites out there now, all using publicly-available information to tell you this stuff.

1
0
Anonymous Coward

Re: How?

> How can anyone guess your first pet?

Social engineering.

Email a group of people including your target and relate a "funny story" about a porn name (name of first pet + road you lived on). Ask what other peoples porn names are. Include a couple email addresses that you control and use them to respond with so as to gain some momentum. There is a good chance your target will respond, especially if there are a couple of responses from people the target knows.

1
0
Bronze badge

Re: How?

> How can anyone guess your first pet?

No need to guess, trivial to find out pretty much anything about some people, just ask them. Create a website that promises the earth but requires free registration, collect that data and assuming you can drive a particular person or random people to register you will end up with email addresses, DOB, a password that will have a 90% probability of being a password they use on everything, including their email password from which you could get pretty much anything. True many times you'd end up with a lot of false information but there is no doubt you'd pull some valid info too.

Personally I use a mail alias for everything I sign up for, never use my real details apart from essentials and everything has a separate password but for stuff I don't care about it is something be derived from.

0
0

stored obscured with the addition of zeros

So, that would be stored as UNICODE plaintext then.

5
0
Silver badge

Re: stored obscured with the addition of zeros

Thank goodness someone pointed this out. The original Spider Labs post (linked to in the article) is hilarious in its discussion of "chunk[ing] up their payload data into individual characters and then encod[ing] them in their ASCII numerical representation". A rather long-winded way to say "I know so little about Windows that I didn't understand a hex dump of UTF-16, which Windows has used since NT 1.0".[1]

And minus a point to John Leyden for not catching this - as soon as I saw that "obscured with zeroes" line I guessed the Spider Labs author simply didn't recognize LE UTF-16.

[1] OK, in NT 1.0 it was UCS-2, not UTF-16. Indistinguishable in this context.

1
0

Hint indeed

I agree. I never bother with the hint, though I suppose if you had a password locker on your phone that had an ID field you could hint 1, 2, 3 etc.

I just use moomins.

Then again, I worked for a company that provided a service for IBM so we had to have annual security reviews. Mine was one of 2 passwords the consultant could not get after a 3 day brute force from within the domain.

I can't use the one I had at Uni any more because of these restrictions that you must have numbers and letters and or mixed case etc. Well, I could but they also say between X and Y characters and "yellow flavoured doors" is a bit outside the max length of most.

0
0
Facepalm

Doh!

"SpiderLabs is an elite team of ethical hackers, investigators and researchers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world."

- and who can't even recognise Unicode when they see it.

4
0

Page:

This topic is closed for new posts.

Forums