back to article Password hints easily snaffled from Windows PCs

Punters' password hints are easily extracted from the latest Microsoft Windows machines, security researchers have discovered. TrustWave SpiderLabs uncovered a key called "UserPasswordHint" during wider research into how the Redmond operating system stores password hashes. Subsequent studies showed it was easy to extract and …

COMMENTS

This topic is closed for new posts.
  1. Gordon Fecyk
    Facepalm

    Considering passwords hints are displayed intentionally...

    ...does this really matter?

    1. HMB

      Coffee Easily Snaffled from Coffee Machine

      In reply... No, it doesn't matter.

    2. Anonymous Coward
      Anonymous Coward

      Re: Considering passwords hints are displayed intentionally...

      Not to mention if you can get the password hint using a script, you've presumably already got access to the system to run the script in the first place.

    3. Anonymous Coward
      Anonymous Coward

      Re: Considering passwords hints are displayed intentionally...

      Yes it does.

      Without the script you have to physically be at the machine to get the password hint. With it you don't

      This means that if somebody can get you to execute a script (and that never happens does it?) they can get at the hint to help crack your password.

      Having said that it is difficult to see how they could hide the hint. It's not as if they could get the user to enter a password to show the hint for the forgotten password...

      1. Anonymous Coward
        Anonymous Coward

        @AC 23rd August 2012 17:53 GMT

        "This means that if somebody can get you to execute a script (and that never happens does it?) they can get at the hint to help crack your password."

        Then why stop at a script to get the hint? They could just have you install a keylogger and get the password directly. They could also get you to install software so they have access to the PC.

    4. Goat Jam

      Re: Considering passwords hints are displayed intentionally...

      I'm always up for a bit of MS bashing but no, in this case this is a total non-issue.

      The whole thing is nothing more than an attempt at publicity seeking by a security firm. I'm surprised it was Graham Cluley really.

  2. Not That Andrew

    Which is exactly why my password hint is "Piss off!"

    1. Anonymous Coward
      Anonymous Coward

      I also do similar.

    2. Tom 35

      I like something a little more subtle... " Rhymes with Duck"

      1. Fungi Legume

        Re: I like something a little more subtle...

        I use 8 asteroids (i.e. ********)

        1. LaeMing
          Thumb Up

          Re: I like something a little more subtle...

          From now on I am going to call them 'asteroids' too! I like it!!

    3. Captain Scarlet

      Good

      My password hints are always something pointing miles away from my passwords and some random maths. That way they waste their time and can do their maths homework at the same time.

  3. Comments are attributed to your handle
    Stop

    Who cares?

    If your password hint is so weak (and by that I mean revealing) that the average person would be able to guess your password from the hint alone, then a physical attacker will guess it just the same.

    Besides, if some haxor has access to your machine, then you have worse things to worry about. Who cares about something that is already available to anyone who enters your password incorrectly a few times.

  4. Craig 8
    WTF?

    re "You might want to encrypt that"

    What do you suggest it's encrypted with? given that the point is to display it without the user entering their password of course (chicken and egg).

    1. dssf

      Re: re "You might want to encrypt that"

      4-D octascopic eyewear tuned JUST to your own retina pattern and eye-brain-stem electrical patterns.

      Enter the wrong word too many times, and the infiltrator is end-fill-traded, or quadrapalegicized.... That'll teach those who have direct access with nefarious intentions...

      (OTOH, this might be a way for prison wardens to outsource select convicts and thin out their prisons. Or, might be a way for people to pay off their debts to society. Or, for crooked execs to serve time. hack the worng cmopteur, thye severe theri onw bainr stme....)

      (Gttoa dluit ym cofefe...)

  5. Rob Crawford

    Bit of a non story

    So when sitting at the login screen you can display the password hint.

    The only time encrypting the hints would be any use is if the usernames on the machine where also encrypted.

    Otherwise you can type the username and then click display hint.

    It's as bas as the bloody pen testers who don't understand hardware encryptors on WAN links

  6. BlinkenLights
    FAIL

    Surely if an intruder has got as far as to access the password hints in the registry then the damage is already done!!!

    1. P. Lee
      FAIL

      Surely if an intruder has access the password hints then the damage is already done!!!

      Not if the hints are on a shared system. If you must have hints, they should probably be separated from the systems which control access.

      The problem is that hints make things less secure, which is probably not an issue for individuals with machines at home, but introduce the facility to an enterprise and you've got thousands of hints for an admin to go through.

      This is a problem for non-repudiation. An admin can mess with data but that leaves an audit trail. If they can narrow the odds with hints and login using someone-else's username and password, that is a major security issue. Login as another user, fire up Outlook and send a cryptographically-signed email to a third party, divulging company secrets and booking an entire brothel for the finance group Christmas party.

      That said, instead of asteroids, you could use zero's, which given the padding, would be amusing in a nerdy way.

      Let's hope its off by default. I hope the drive to reduce password reset work doesn't override security considerations.

  7. Miek
    Linux

    I tend to treat the password hint field with contempt, much like the title field on these comment forms. Not much to gain from examining the registry on my machines.

    1. dogged
      Trollface

      I'd be interested to know how relevant the penguin is to your registry. If you've managed to install a linux registry then I have to ask a) why and b) what the hell is wrong with you?

      Wait, aren't you the guy who always says how horrible all Microsoft products are? And YOU have a registry?

      Hahahahahahaha

      1. Miek
        Trollface

        "Wait, aren't you the guy who always says how horrible all Microsoft products are?" -- I wouldn't go that far, I have a Microsoft mouse that seems to work, other than that... besides, my distaste for Microsoft's software gives people like you a reason to use the troll icon otherwise you may have to resort to the drunken tramp icon indefinitely.

        It also may surprise you to learn that I do operate a Windows based PC, for the sole purpose of running steam (hopefully this will change in the near future)

        Penguin Icon, partly because Penguins are cute and partly because I was on auto-troll when I wrote the comment and used my favoured icon.

      2. M Gale
        Trollface

        Linux has a "registry".

        It's just called "/etc" and is spread amongst a bajillion and one files.

        Cue pedants and irate flamers in 3, 2, 1...

        1. Not That Andrew

          Re: Linux has a "registry".

          No, you're thinking of GConf.

          1. This post has been deleted by its author

        2. P. Lee
          Linux

          Re: Linux has a "registry".

          Hey! At least our registry keys aren't called "{23453563456345-634563456-3456-4356-3456-345634563456-34563456}"!

          We don't randomly copy bits of them from HKLOCALMACHINE to CURRENTCONTROLSET or whatever either.

          Its also far smaller and usually documented inline too. It is actually possible to understand the contents of /etc.

          Personally though, I prefer the $APPHOME, system, with etc, bin, data under that. The desktop is inherently complex, but there is no excuse for mixing server application data with system data. Whatever you say about the Lotus Notes desktop, the server end is dead easy to migrate (or at least it used to be) on linux.

          Much of those millions spent on corporate vmware is to wrap up apps into an easily movable bundle, because you have no idea what the application really needs and what data it stuck where in the registry.

    2. Anonymous Coward
      Boffin

      Wonderful

      So why are you even bothering to post comment on here then when it so clearly doesn't affect you....

      I've said it before; "A wise man speaks because he has something to say" Fanbois speak because they have to say something....

  8. Irongut Silver badge

    Total non story

    The password hint is displayed unencrypted at a login prompt after a failed login!!!!!!!!

    Why bother with a script that reads it from the registry?

    This is why password hints should never actually tell you the password.

  9. brain_flakes
    Facepalm

    A l33t hax0r can also view password hits by entering an incorrect password on said PC.

  10. Miami Mike
    Flame

    Basic error in the system!

    In the beginning there was no password, just turn on the computer. Then someone decided that a standalone desktop in a one-person office and unconnected to anything other than the AC mains needed a password mostly because the "big guys" use passwords. So I have to tell myself I am me before I can work. Every day for almost 20 years. And I am cautioned not to write it down.

    Fast forward to now (i.e. Spaceballs recursion scene) - passwords for all kinds of things many of which don't need protection from anything - and the passwords expire every three months and have to be reset, use nonsense strings, non-ASCII characters, at least eight letters four numbers mix upper and lower case - and tell me, I dare you - that you can REMEMBER all of them . . . so we put them into our browser, and when it crashes (what? browsers CRASH??) all the passwords are now gone and you get to start again, reset everything, all the hints, all the passwords, all the access codes, the works. And remember, don't write it down because someone might read it. Oh yeah, and NEVER use the same password for everything. So we have to memorize multiple and constantly changing streams of random letters (UC & LC) and numbers, each one of which is different for each and every password protected site we go to . . . and we are cautioned not to make the password socially engineerable by using anything we CAN remember, like our wife's name or whatever.

    The result is that we HAVE to write it down - we wind up with a yellow pad with ALL the passwords and the sites they access so that when the magic electrons won't cooperate today, we can still use our computers.

    We need a reset on authentification procedures - we need a better way to determine that we are who we say we are, something that doesn't need long lists of random characters which change, are easily mistyped, and cannot be remembered unless you . . . write them down . . . and keep the list somewhere convenient (i.e. near the computer), which sort of defeats the whole purpose, doesn't it?

    Ok, if we're so smart, how about we figure out a way to fix this mess? The paradigm (had to use that word, this is after all a computer related discussion) of user name plus password is BROKEN and does not work if the poor user (who paid for all this junk and just wants to use the computer) doesn't have a photographic memory or a USB socket in the back of the skull to plug in the dongle with the passwords on it.

    1. Test Man
      Stop

      Re: Basic error in the system!

      We need a single authentication system.

      Problem is, business politics have ensured that there are currently multiple authentication systems that compete to be "the one".

    2. jim 45

      Re: Basic error in the system!

      Sez it all.

      Microsoft tried to solve this with "Passport" - it went nowhere, largely because people didn't want MS in control. Something like this is desperately needed - but as we now know, any company providing this service becomes a target of attack, and it's only a matter of time...

  11. Graham Marsden
    Facepalm

    It depends...

    ... if your password "hint" is "My Password is wordPass"...!

    1. Anonymous Coward
      Joke

      @Graham

      Yeah, that'd be stupid. I simply use: "My password is NOT 12345".

      1. Graham Lee
        Trollface

        Re: @Graham

        12345? Amazing. That's the same combination I've got on my luggage!

      2. vic 4
        Joke

        Re: NOT 12345

        Nothing like a bluff to confuse everyone, shame the hint isn't displayed when there is just one more attempt before your account is disabled, you can just imagine some would be hacker trying to figure out if you are thick/irreverent, bluffing, double bluffing, triple bluffing ....

      3. edge_e
        Coat

        Re: @Graham

        so your password is 53190 then?

        1. Anonymous Coward
          Anonymous Coward

          If I had such a thing as a password hint, it might be something like:

          "The police are on their way."

  12. Mectron

    Once physical access is granted

    you're toast....... as MS own rescue CD contain a locksmith app. no need to password hint.... just reset it..... take longer to boot from the CD then to unlock the password

    1. DJ Smiley
      Facepalm

      Re: Once physical access is granted

      Doesn't work for the encrypted folders though...

      1. P. Lee

        Re: Once physical access is granted

        and we can see an admin reset your password. Red flags all round and you're off the hook for subsequent dodgy stuff. :p

  13. Anonymous Coward
    Anonymous Coward

    It's the same deal as the "what is your first pet's name?" questions...typing anything close to truth in the box increases your vulnerability.

    1. Anonymous Coward
      Anonymous Coward

      How?

      How can anyone guess your first pet? Only close friends could do that, and if you suspect them of hacking an account, there's worse to deal with because they already have physical access. ;)

      Well, "Where were you borne" could be a big problem, public records and all that. :(

      1. Anonymous Coward
        Pint

        Re: How?

        Just for my edification, use $Google to search for 'my first pet' or 'my favorite teacher' or any other standard password reset type of question and tell me that the 'net isn't full of easy-to-find answers.

        Here's a drink, because you're going to want one.

      2. Graham Bartlett

        Re: How?

        "Only close friends could do that"

        Except that it wouldn't be at all unusual to be able to look back a few years on someone's Facebook and find the "Here's Schinkenstern running around in his little plastic ball" vids. And there's more than a few people in my area who know the name of my first pet, because I've met them whilst walking the aforesaid puppy. Of course that means I wouldn't be stupid enough to use the dog's name as a password, but I'm sure there are people who would.

        Come to that, mother's maiden name is a particularly stupid choice of security measure too, given that there's an absolute ton of ancestry sites out there now, all using publicly-available information to tell you this stuff.

      3. Anonymous Coward
        Anonymous Coward

        Re: How?

        > How can anyone guess your first pet?

        Social engineering.

        Email a group of people including your target and relate a "funny story" about a porn name (name of first pet + road you lived on). Ask what other peoples porn names are. Include a couple email addresses that you control and use them to respond with so as to gain some momentum. There is a good chance your target will respond, especially if there are a couple of responses from people the target knows.

        1. vic 4

          Re: How?

          > How can anyone guess your first pet?

          No need to guess, trivial to find out pretty much anything about some people, just ask them. Create a website that promises the earth but requires free registration, collect that data and assuming you can drive a particular person or random people to register you will end up with email addresses, DOB, a password that will have a 90% probability of being a password they use on everything, including their email password from which you could get pretty much anything. True many times you'd end up with a lot of false information but there is no doubt you'd pull some valid info too.

          Personally I use a mail alias for everything I sign up for, never use my real details apart from essentials and everything has a separate password but for stuff I don't care about it is something be derived from.

  14. Dale 3

    stored obscured with the addition of zeros

    So, that would be stored as UNICODE plaintext then.

    1. Michael Wojcik Silver badge

      Re: stored obscured with the addition of zeros

      Thank goodness someone pointed this out. The original Spider Labs post (linked to in the article) is hilarious in its discussion of "chunk[ing] up their payload data into individual characters and then encod[ing] them in their ASCII numerical representation". A rather long-winded way to say "I know so little about Windows that I didn't understand a hex dump of UTF-16, which Windows has used since NT 1.0".[1]

      And minus a point to John Leyden for not catching this - as soon as I saw that "obscured with zeroes" line I guessed the Spider Labs author simply didn't recognize LE UTF-16.

      [1] OK, in NT 1.0 it was UCS-2, not UTF-16. Indistinguishable in this context.

  15. Bodestone

    Hint indeed

    I agree. I never bother with the hint, though I suppose if you had a password locker on your phone that had an ID field you could hint 1, 2, 3 etc.

    I just use moomins.

    Then again, I worked for a company that provided a service for IBM so we had to have annual security reviews. Mine was one of 2 passwords the consultant could not get after a 3 day brute force from within the domain.

    I can't use the one I had at Uni any more because of these restrictions that you must have numbers and letters and or mixed case etc. Well, I could but they also say between X and Y characters and "yellow flavoured doors" is a bit outside the max length of most.

  16. Badvok
    Facepalm

    Doh!

    "SpiderLabs is an elite team of ethical hackers, investigators and researchers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world."

    - and who can't even recognise Unicode when they see it.

    1. Minimaul
      FAIL

      Re: Doh!

      "In first looking at the storage location here, I was a little disappointed thinking that the hint was encrypted in some way until I noticed the pattern of zeros. Having dealt with a fair amount of PHP malware in the last couple months, one of things the “baddies” do is chunk up their payload data into individual characters and then encode them in their ASCII numerical representation."

      I think this explains it all, really.

      Also, my password hint is "a". Guess my password from that. :)

      1. Anonymous Coward
        Joke

        Re: Re: Doh! (Minmaul)

        hole?

      2. Anonymous Coward
        Anonymous Coward

        Re: Doh!

        Well, i'll get the bruteforce dictionary attack going..

        Aardvark

        Did i get it????

        1. Minimaul
          Facepalm

          Re: Doh!

          Damn.

          I guess this is more of a problem than I thought! ;)

  17. richardcox13
    FAIL

    This is not a security hole: if you can access this you already have complete access

    To access this information you need to either capable of taking ownership of that part of the registry or running as SYSTEM.

    In either case you all ready have complete and total control of the machine.

    (The linked article acknowledges this., Hint: check out the ACL on HKEY_LOCAL_MACHINE\SAM\SAM.)

    Another case of if you are already inside the safe, the you have access to the contents of the safe.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is not a security hole: if you can access this you already have complete access

      Yep. I've been in places where the spare keys are kept in the safe. Not the only set of spares, but a set for easy access if you need to keep a master copy, assistants copy or whatever safe while someone is away.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is not a security hole: if you can access this you already have complete access

        You're supposed to use TWO safes.

        1. Anonymous Coward
          Anonymous Coward

          "Two Safes"

          I think they did do that too. But sometimes the spare spare set can just be thrown in the safe until you need it (emergency copy left in the other safe/site etc).

  18. Anonymous Coward
    Anonymous Coward

    Hmmm

    "Punters' password hints are easily extracted from the latest Microsoft Windows machines, security researchers have discovered."

    Ah, Windoze! Ever so secure!

  19. Spoonsinger
    Unhappy

    ""Password hints easily snaffled from Windows PCs"

    Umm, sod the hint, I have a app's which grab the password from the password field. I'm fairly sure loads of other 'support' people do to.

    Wish I could get paid for publishing obvious stuff.

  20. toadwarrior
    Facepalm

    Obviously they need to encrypt the hint and require a password to retrieve it.

  21. Boris the Cockroach Silver badge
    Facepalm

    hint

    Mines simple as fook "whats my favourite colour", depending on the thing being protected its a random line from Monty Python and the Holy Grail

    Eg the bank's one is "Help Help I'm being oppressed", the robots maintance logs are "I'm not dead yet" and the pr0n folder is locked under "Castle Anthrax"

    damnit... bloody social engineering....

  22. Jop
    Megaphone

    Cryptic

    I can see some numptys making a cryptic password hint which they can't work out.

    So there will need to be another level of hint, the pasword hint hint.

    Attack vectors are slim but possible. Someone will use it to their advantage but it is not something to lose sleep over.

  23. Blue eyed boy
    Boffin

    Try this one

    Dasu shelara vedum sematus viod em ugur'udate si. Uma seda lit soel em sofa, mo danome ____________ dos mu gom gumat si. Udil sea tolasha soel sha shalus abem valumat em davada sha dos vam.

    Thus opens a favourite novel, at least it does when translated into my childhood fantasy language Hallon. There is a website explaining about the language, the spooks will have access to some more vocabulary from emails I have exchanged with friends, and so would be able to make a fragmentary translation, enough to identify the text and so identify the English word corresponding to the missing word in the text, which is required to be filled in as the password.

    Therein lies the problem. For the word in question has never been written down or emailed.to anybody so there is nothing to guide the spooks - or the hackers - to what the translation may be.

    1. LaeMing

      in gadda da vida baby!

  24. Anonymous Coward
    Anonymous Coward

    I like to see the study on....

    Luser who enter their password into the hints section as to not forget it.

  25. The Infamous Grouse
    Meh

    For some value of 'hint'

    I was house-sitting for a friend a few years ago and she asked me to sort out some issues with her laptop, which was more often put to sleep than shut down, while I was there. At one point a Windows Update caused the machine to reboot and I was left at the login screen with no idea as to her credentials. I tried the obvious -- pets' names, kids' names, no password at all -- but came up blank. The password hint was three alphabetic characters, which I guessed meant something significant to my friend but not to me. I was >< this close to phoning her up and asking her what her password was when I had a sudden revelation. I tried the three-character hint AS the password. Straight in.

    Sometimes you have to stop thinking like the IT guy and start thinking like a user.

    1. Hans 1
      Joke

      Re: For some value of 'hint'

      Congrats, you found a woman who does not use her kid's name in a password ! I have not, yet ...

  26. Anonymous Coward
    Anonymous Coward

    Too many passwords...

    I have to remember at least 50 different passwords, which isn't humanly possible as they ALL insist on being changed regularly and most have password rules that aren't even compatible. And no, I don't think it is a good idea to use the same sort of password for most systems, like having one key that fits all your locks. So, I've written my own encryption algorhitm and have them all in a file on the server. Anybody could see the file, but the file is randomly encrypted to 100 levels deep with the master password encrypted differently somewhere in the file, I think I'm pretty safe. No hints needed.

    It's just password madness lately. That is why a lot of people have their passwords on Post-its stuck to their screen... mad.

This topic is closed for new posts.