Windows 10 just gets worse with every iteration
Crafty infosec researchers have figured out how to remotely set answers to Windows 10’s password reset questions “without even executing code on the targeted machine”. Thanks to some alarmingly straightforward registry tweaks allied with a simple Python script, Illusive Networks’ Magal Baz and Tom Sela were not only able to …
It's 2018, And...
"...Windows 10’s password reset questions are in effect hard-coded; you cannot define your own questions..."
"Hard-coded" is bad enough, but I've seen too many really lame security questions--with topics that some people chat about on social media--seriously, and that crap has to stop.
And, it can be done by way of the registry. I... just... don't... know... what else to say.
You make it sound like it should require a license to use a computer: something normally used inside one's own home.
Did you read the article?
From the article:
As for protecting against this post-attack persistence problem? “Add additional auditing and GPO settings,” said Sela. The two also suggested that Microsoft allows custom security questions as well as the ability to disable the feature altogether in Windows 10 Enterprise. The presentation slides are available here (PDF). ®
...makes it quite clear it is not really about home use, but using Win 10 in corporate environment.
The hardcoding issue applies home as well of course, but as many have said (and I presume most of us do already) there is no need to give real answers to the questions.
Re: It's 2018, And...
You don't have to give the real answer
Then your "I forgot my password" responses become another set of passwords, and you've defeated the mechanism that protects you from that failure mode.
And that may be fine. Maybe you never experience that failure mode; maybe you have your own protection mechanism (e.g. you write those false answers down somewhere). But it does demonstrate just how feeble the entire password-reset process is. Either it turns one failure mode (forgotten password) into a worse one (password subversion by an attacker); or it turns that former failure mode into another version of itself.
“In order to prevent people from reusing their passwords, Windows stores hashes of the old passwords. They’re stored under AES in the registry. If you have access to the registry, it’s not that hard to read them. You can use an undocumented API and reinstate the hash that was active just before you changed it.
Sounds useful - when my employer insists I change my password I can then immediately revert it back and carrying on using the old one indefinitely!
I just wish software houses stopped pushing out shit untested code
There needs to be a law and heavy fines, perhaps a fee to be paid for every patch issued.
Maybe, just maybe, they will invest in proper testing and QA, I suggest this cost comes straight from the shareholders dividend pot
Am I the only one who sees this for the very serious problem it is, I mean FFS we're likely to have automated cars soon, this clusterfuck in software development practice cannot continue in its current form
Where is the accountability?
Don't tell Microsoft to change anything! Based on the October 2018 update fiasco if they amended user login settings it would end up deleting the user entirely in the next update, or make it so the login button failed to work. Chaps, they released an update that can make previously working systems blue screen on next boot. Tempting fate is a bad idea...