Considering passwords hints are displayed intentionally...
...does this really matter?
Punters' password hints are easily extracted from the latest Microsoft Windows machines, security researchers have discovered. TrustWave SpiderLabs uncovered a key called "UserPasswordHint" during wider research into how the Redmond operating system stores password hashes. Subsequent studies showed it was easy to extract and …
Yes it does.
Without the script you have to physically be at the machine to get the password hint. With it you don't
This means that if somebody can get you to execute a script (and that never happens does it?) they can get at the hint to help crack your password.
Having said that it is difficult to see how they could hide the hint. It's not as if they could get the user to enter a password to show the hint for the forgotten password...
"This means that if somebody can get you to execute a script (and that never happens does it?) they can get at the hint to help crack your password."
Then why stop at a script to get the hint? They could just have you install a keylogger and get the password directly. They could also get you to install software so they have access to the PC.
If your password hint is so weak (and by that I mean revealing) that the average person would be able to guess your password from the hint alone, then a physical attacker will guess it just the same.
Besides, if some haxor has access to your machine, then you have worse things to worry about. Who cares about something that is already available to anyone who enters your password incorrectly a few times.
4-D octascopic eyewear tuned JUST to your own retina pattern and eye-brain-stem electrical patterns.
Enter the wrong word too many times, and the infiltrator is end-fill-traded, or quadrapalegicized.... That'll teach those who have direct access with nefarious intentions...
(OTOH, this might be a way for prison wardens to outsource select convicts and thin out their prisons. Or, might be a way for people to pay off their debts to society. Or, for crooked execs to serve time. hack the worng cmopteur, thye severe theri onw bainr stme....)
(Gttoa dluit ym cofefe...)
So when sitting at the login screen you can display the password hint.
The only time encrypting the hints would be any use is if the usernames on the machine where also encrypted.
Otherwise you can type the username and then click display hint.
It's as bas as the bloody pen testers who don't understand hardware encryptors on WAN links
Not if the hints are on a shared system. If you must have hints, they should probably be separated from the systems which control access.
The problem is that hints make things less secure, which is probably not an issue for individuals with machines at home, but introduce the facility to an enterprise and you've got thousands of hints for an admin to go through.
This is a problem for non-repudiation. An admin can mess with data but that leaves an audit trail. If they can narrow the odds with hints and login using someone-else's username and password, that is a major security issue. Login as another user, fire up Outlook and send a cryptographically-signed email to a third party, divulging company secrets and booking an entire brothel for the finance group Christmas party.
That said, instead of asteroids, you could use zero's, which given the padding, would be amusing in a nerdy way.
Let's hope its off by default. I hope the drive to reduce password reset work doesn't override security considerations.
I'd be interested to know how relevant the penguin is to your registry. If you've managed to install a linux registry then I have to ask a) why and b) what the hell is wrong with you?
Wait, aren't you the guy who always says how horrible all Microsoft products are? And YOU have a registry?
Hahahahahahaha
"Wait, aren't you the guy who always says how horrible all Microsoft products are?" -- I wouldn't go that far, I have a Microsoft mouse that seems to work, other than that... besides, my distaste for Microsoft's software gives people like you a reason to use the troll icon otherwise you may have to resort to the drunken tramp icon indefinitely.
It also may surprise you to learn that I do operate a Windows based PC, for the sole purpose of running steam (hopefully this will change in the near future)
Penguin Icon, partly because Penguins are cute and partly because I was on auto-troll when I wrote the comment and used my favoured icon.
This post has been deleted by its author
Hey! At least our registry keys aren't called "{23453563456345-634563456-3456-4356-3456-345634563456-34563456}"!
We don't randomly copy bits of them from HKLOCALMACHINE to CURRENTCONTROLSET or whatever either.
Its also far smaller and usually documented inline too. It is actually possible to understand the contents of /etc.
Personally though, I prefer the $APPHOME, system, with etc, bin, data under that. The desktop is inherently complex, but there is no excuse for mixing server application data with system data. Whatever you say about the Lotus Notes desktop, the server end is dead easy to migrate (or at least it used to be) on linux.
Much of those millions spent on corporate vmware is to wrap up apps into an easily movable bundle, because you have no idea what the application really needs and what data it stuck where in the registry.
In the beginning there was no password, just turn on the computer. Then someone decided that a standalone desktop in a one-person office and unconnected to anything other than the AC mains needed a password mostly because the "big guys" use passwords. So I have to tell myself I am me before I can work. Every day for almost 20 years. And I am cautioned not to write it down.
Fast forward to now (i.e. Spaceballs recursion scene) - passwords for all kinds of things many of which don't need protection from anything - and the passwords expire every three months and have to be reset, use nonsense strings, non-ASCII characters, at least eight letters four numbers mix upper and lower case - and tell me, I dare you - that you can REMEMBER all of them . . . so we put them into our browser, and when it crashes (what? browsers CRASH??) all the passwords are now gone and you get to start again, reset everything, all the hints, all the passwords, all the access codes, the works. And remember, don't write it down because someone might read it. Oh yeah, and NEVER use the same password for everything. So we have to memorize multiple and constantly changing streams of random letters (UC & LC) and numbers, each one of which is different for each and every password protected site we go to . . . and we are cautioned not to make the password socially engineerable by using anything we CAN remember, like our wife's name or whatever.
The result is that we HAVE to write it down - we wind up with a yellow pad with ALL the passwords and the sites they access so that when the magic electrons won't cooperate today, we can still use our computers.
We need a reset on authentification procedures - we need a better way to determine that we are who we say we are, something that doesn't need long lists of random characters which change, are easily mistyped, and cannot be remembered unless you . . . write them down . . . and keep the list somewhere convenient (i.e. near the computer), which sort of defeats the whole purpose, doesn't it?
Ok, if we're so smart, how about we figure out a way to fix this mess? The paradigm (had to use that word, this is after all a computer related discussion) of user name plus password is BROKEN and does not work if the poor user (who paid for all this junk and just wants to use the computer) doesn't have a photographic memory or a USB socket in the back of the skull to plug in the dongle with the passwords on it.
Sez it all.
Microsoft tried to solve this with "Passport" - it went nowhere, largely because people didn't want MS in control. Something like this is desperately needed - but as we now know, any company providing this service becomes a target of attack, and it's only a matter of time...
"Only close friends could do that"
Except that it wouldn't be at all unusual to be able to look back a few years on someone's Facebook and find the "Here's Schinkenstern running around in his little plastic ball" vids. And there's more than a few people in my area who know the name of my first pet, because I've met them whilst walking the aforesaid puppy. Of course that means I wouldn't be stupid enough to use the dog's name as a password, but I'm sure there are people who would.
Come to that, mother's maiden name is a particularly stupid choice of security measure too, given that there's an absolute ton of ancestry sites out there now, all using publicly-available information to tell you this stuff.
> How can anyone guess your first pet?
Social engineering.
Email a group of people including your target and relate a "funny story" about a porn name (name of first pet + road you lived on). Ask what other peoples porn names are. Include a couple email addresses that you control and use them to respond with so as to gain some momentum. There is a good chance your target will respond, especially if there are a couple of responses from people the target knows.
> How can anyone guess your first pet?
No need to guess, trivial to find out pretty much anything about some people, just ask them. Create a website that promises the earth but requires free registration, collect that data and assuming you can drive a particular person or random people to register you will end up with email addresses, DOB, a password that will have a 90% probability of being a password they use on everything, including their email password from which you could get pretty much anything. True many times you'd end up with a lot of false information but there is no doubt you'd pull some valid info too.
Personally I use a mail alias for everything I sign up for, never use my real details apart from essentials and everything has a separate password but for stuff I don't care about it is something be derived from.
Thank goodness someone pointed this out. The original Spider Labs post (linked to in the article) is hilarious in its discussion of "chunk[ing] up their payload data into individual characters and then encod[ing] them in their ASCII numerical representation". A rather long-winded way to say "I know so little about Windows that I didn't understand a hex dump of UTF-16, which Windows has used since NT 1.0".[1]
And minus a point to John Leyden for not catching this - as soon as I saw that "obscured with zeroes" line I guessed the Spider Labs author simply didn't recognize LE UTF-16.
[1] OK, in NT 1.0 it was UCS-2, not UTF-16. Indistinguishable in this context.
I agree. I never bother with the hint, though I suppose if you had a password locker on your phone that had an ID field you could hint 1, 2, 3 etc.
I just use moomins.
Then again, I worked for a company that provided a service for IBM so we had to have annual security reviews. Mine was one of 2 passwords the consultant could not get after a 3 day brute force from within the domain.
I can't use the one I had at Uni any more because of these restrictions that you must have numbers and letters and or mixed case etc. Well, I could but they also say between X and Y characters and "yellow flavoured doors" is a bit outside the max length of most.
"In first looking at the storage location here, I was a little disappointed thinking that the hint was encrypted in some way until I noticed the pattern of zeros. Having dealt with a fair amount of PHP malware in the last couple months, one of things the “baddies” do is chunk up their payload data into individual characters and then encode them in their ASCII numerical representation."
I think this explains it all, really.
Also, my password hint is "a". Guess my password from that. :)
To access this information you need to either capable of taking ownership of that part of the registry or running as SYSTEM.
In either case you all ready have complete and total control of the machine.
(The linked article acknowledges this., Hint: check out the ACL on HKEY_LOCAL_MACHINE\SAM\SAM.)
Another case of if you are already inside the safe, the you have access to the contents of the safe.
Yep. I've been in places where the spare keys are kept in the safe. Not the only set of spares, but a set for easy access if you need to keep a master copy, assistants copy or whatever safe while someone is away.
Mines simple as fook "whats my favourite colour", depending on the thing being protected its a random line from Monty Python and the Holy Grail
Eg the bank's one is "Help Help I'm being oppressed", the robots maintance logs are "I'm not dead yet" and the pr0n folder is locked under "Castle Anthrax"
damnit... bloody social engineering....
Dasu shelara vedum sematus viod em ugur'udate si. Uma seda lit soel em sofa, mo danome ____________ dos mu gom gumat si. Udil sea tolasha soel sha shalus abem valumat em davada sha dos vam.
Thus opens a favourite novel, at least it does when translated into my childhood fantasy language Hallon. There is a website explaining about the language, the spooks will have access to some more vocabulary from emails I have exchanged with friends, and so would be able to make a fragmentary translation, enough to identify the text and so identify the English word corresponding to the missing word in the text, which is required to be filled in as the password.
Therein lies the problem. For the word in question has never been written down or emailed.to anybody so there is nothing to guide the spooks - or the hackers - to what the translation may be.
I was house-sitting for a friend a few years ago and she asked me to sort out some issues with her laptop, which was more often put to sleep than shut down, while I was there. At one point a Windows Update caused the machine to reboot and I was left at the login screen with no idea as to her credentials. I tried the obvious -- pets' names, kids' names, no password at all -- but came up blank. The password hint was three alphabetic characters, which I guessed meant something significant to my friend but not to me. I was >< this close to phoning her up and asking her what her password was when I had a sudden revelation. I tried the three-character hint AS the password. Straight in.
Sometimes you have to stop thinking like the IT guy and start thinking like a user.
I have to remember at least 50 different passwords, which isn't humanly possible as they ALL insist on being changed regularly and most have password rules that aren't even compatible. And no, I don't think it is a good idea to use the same sort of password for most systems, like having one key that fits all your locks. So, I've written my own encryption algorhitm and have them all in a file on the server. Anybody could see the file, but the file is randomly encrypted to 100 levels deep with the master password encrypted differently somewhere in the file, I think I'm pretty safe. No hints needed.
It's just password madness lately. That is why a lot of people have their passwords on Post-its stuck to their screen... mad.