Windows 8 's Rookie Security Mistake -- Redmondmag.com

Windows 8 's Rookie Security Mistake

Microsoft's choice to store passwords in plain text format may give attackers easy access to your system.

By Chris Paoli
10/03/2012

Microsoft's newest OS has a lot of good things going for it when it comes to security. Its Secure Boot feature will help to stop attackers from burying harmful malware deep inside a PC's BIOS menu; and its built-in antimalware will add an additional level of protection not found (without the help of third-party software) in previous versions of Windows.

While it sounds like Windows 8 has a lot going for it when it comes to securing your system, it's recently come to light that Microsoft has made the fatal error of storing login passwords in plain text.

This news comes from security firm Passcape Software, a company knows a thing or two about retrieving passwords. And if stored in plain text form, the firm's job is that much easier.

Passwords can be retrieved through the OS's new PIN password feature (a four-digit code for accessing a system and Microsoft-related accounts) and the Picture password login. Here's how Passcape Software explains it:

"The matter is that these two authentication methods are based on a regular user account. In other words, the user must first have created an account with a regular password and then optionally switch to PIN or picture password authentication. Notably that the original plain-text (!) password to the account also remains in the system."

Once a user switches from the "classic" Windows password scheme to one of the new ones, those old-style passwords are encrypted and put in Microsoft's Vault (protected storage). However, anyone who accesses a system using admin privileges can swipe the encrypted data from the Vault.

If it's as easy to pull off as Passcape Software makes it sound like, not sure why Microsoft's protected storage system is called Vault. Sounds like Microsoft Unlocked Screen Door would be a more apt name.

And what's the easiest way to descrambling said encrypted data? Passcape Software has the perfect solution for you (at a cost).

Microsoft has yet to comment on the security firm's find. But if this actually pans out to be a legit way for attackers to gain access to your passwords, I wouldn't be surprised if this was already fixed before the OS's official release on Oct. 26.

And Microsoft, here's some advice: don't store passwords in plain text files, you dummy.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.