back to article Does Windows have a very weak password lurking in its crypto libraries?

Microsoft's Raymond Chen took to his "Old New Thing" blog this week to explain why Windows has a hash of a weak password in its cryptographic libraries. The sequence in question was spotted by a customer, who reported they'd found the SHA256 hash of "abc" in the Windows cryptographic libraries. Dodgy passwords are the bane of …

  1. pip25
    Boffin

    That's great and all, but...

    What is test data doing in the production binary? Does it need to test itself during each startup to make sure the function did not stop working somehow...?

    1. Avalanche

      Re: That's great and all, but...

      Given it is a self-test, it is probably run when the library is loaded to verify the library works correctly.

      1. owlstead

        Re: That's great and all, but...

        Especially since self-testing is part of the requirements for FIPS certification. So if your cryptography library is slow to start up...

    2. Jou (Mxyzptlk) Silver badge

      Re: That's great and all, but...

      It is there to test whether the CPU does it right and to check for tampering with the binaries and check whether dependent libraries (.dlls) still offer the right functions etc etc.

      TBH: You didn't read or understand Raymon Chens article. Jumping to such premature conclusions is not a good sign.

      1. pip25

        Re: That's great and all, but...

        Admittedly, no, I've only read the El Reg article, and I was genuinely curious. I haven't cone across such a functionality in a library before, which is why it felt odd.

        1. Avfusion

          Re: That's great and all, but...

          The last half of the article goes directly into this detail. You might give it another glance and see if you missed that part.

          That said, it's uncommon but not so far as to be an edge case in library design. Lots of security and critical function libraries do internal self tests on load or init to make sure it won't give incorrect results or fail completely later-on during run time.

  2. Alan W. Rateliff, II

    Engineers and public relations

    He concluded: "I bet you can find insecure passwords in a lot of binaries if you set your mind to it. Just scan for the bytes 61 62 63 in any binary, and if you find it, you can get all excited: 'Hey, your binary contains the insecure password abc!'"

    This was a completely dismissive and douchie thing to say. This is why we need Tom Smykowskis in the world.

    1. MrDamage Silver badge

      Re: Engineers and public relations

      > This was a completely dismissive and douchie thing to say. This is why we need Tom Smykowskis in the world.

      And in this world where "GOTCHA" moments seem to take precedence over actual fucking news, it is the correct response.

  3. John H Woods Silver badge

    Correct me if I'm wrong ...

    but although it "doesn't mean that the library is using them as passwords" it does surely mean these hashes are stored unsalted?

    1. richardcox13

      Re: Correct me if I'm wrong ...

      Yes.

      Cryptographic hashes are used for more than passwords.

    2. Anonymous Coward
      Anonymous Coward

      Not everything tastes better with salt

      In this case the hash is a test string, not an actual password, and so salting it would defeat the purpose, and be unnecessary.

      As others mentioned, on systems with hardware acceleration the library can use the value as part of it's sanity checks, probably among other applications. The sort of code left out of many other libraries, but cryptography is an exacting field, where one needs to be thorough.

      In this case the claimed purpose of the string is to verify that the exact string abc hashes to the stored value. If you salted it, you wouldn't be able to do that specific test for that routine in isolation. The stored hash is to validate the hash function, which is a part of the password check, but the same as the password check which has more steps. Salt is needed for "live" passwords to protect them, but wouldn't necessarily be needed for a list of bad passwords the system rejects for example.

      Hope the details help explain the difference.

  4. aerogems Silver badge
    FAIL

    Sounds like

    Reminds me of when some self-proclaimed security expert claimed they had found some massive flaw in the Windows printing subsystem, and the reality was they didn't know WTF they were looking at. Or all the anti-vaxxer death cultists who "do their own research" but forget the part where they need an advanced degree (or the equivalent education at least) to be able to correctly interpret what they're looking at.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds like

      Darwin deals with antivaxxers, even if they don't believe in evolution.

      1. aerogems Silver badge

        Re: Sounds like

        Darwin's dust in the wind at this point. He doesn't deal with anyone for anything. The process of natural selection, as described by Darwin... that's another story.

        1. LybsterRoy Silver badge

          Re: Sounds like

          -- Darwin's dust in the wind at this point --

          Errm

          Charles Robert Darwin, naturalist, is buried in the north aisle of the nave of Westminster Abbey,

          not sure how you get his dust from there into the wind....

          1. aerogems Silver badge
            Facepalm

            Re: Sounds like

            Yes, thank you Mr. Pedant. Any other obvious jokes you wish to ruin by taking them seriously? Maybe you'd like to try to explain to a toddler that chickens really wouldn't ever cross the road.

            1. stewwy

              Re: Sounds like

              Well they do if you put a line of feed over the road.

              I'm not sure if roads are recognised by chickens (except in the sense of 'our Mable' is now 2-dimensional) as such.

  5. Strahd Ivarius Silver badge
    Coat

    Hey!

    I found the trival password "abc" on El Reg site!

    1. Michael Wojcik Silver badge

      Re: Hey!

      I found it in your comment!

  6. J. Cook Silver badge
    Joke

    At least it's not "12345", which at least one person has on their luggage. /sarcasm

    1. Jou (Mxyzptlk) Silver badge

      Had! He gave the order to change the combination.

    2. upsidedowncreature

      How did you get that to display as "*****"?

      1. Michael Wojcik Silver badge

        Hey! My password is "*****". Please stop posting it.

        1. aerogems Silver badge
          Alert

          They must be a hacker!

  7. LybsterRoy Silver badge

    Favourite quickie password

    I have two - qaz or fred

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like