Security Advisor

Windows 8 's Rookie Security Mistake

Microsoft's choice to store passwords in plain text format may give attackers easy access to your system.

Microsoft's newest OS has a lot of good things going for it when it comes to security. Its Secure Boot feature will help to stop attackers from burying harmful malware deep inside a PC's BIOS menu; and its built-in antimalware will add an additional level of protection not found (without the help of third-party software) in previous versions of Windows.

While it sounds like Windows 8 has a lot going for it when it comes to securing your system, it's recently come to light that Microsoft has made the fatal error of storing login passwords in plain text.

This news comes from security firm Passcape Software, a company knows a thing or two about retrieving passwords. And if stored in plain text form, the firm's job is that much easier.

Passwords can be retrieved through the OS's new PIN password feature (a four-digit code for accessing a system and Microsoft-related accounts) and the Picture password login. Here's how Passcape Software explains it:

"The matter is that these two authentication methods are based on a regular user account. In other words, the user must first have created an account with a regular password and then optionally switch to PIN or picture password authentication. Notably that the original plain-text (!) password to the account also remains in the system."

Once a user switches from the "classic" Windows password scheme to one of the new ones, those old-style passwords are encrypted and put in Microsoft's Vault (protected storage). However, anyone who accesses a system using admin privileges can swipe the encrypted data from the Vault.

If it's as easy to pull off as Passcape Software makes it sound like, not sure why Microsoft's protected storage system is called Vault. Sounds like Microsoft Unlocked Screen Door would be a more apt name.

And what's the easiest way to descrambling said encrypted data? Passcape Software has the perfect solution for you (at a cost).

Microsoft has yet to comment on the security firm's find.  But if this actually pans out to be a legit way for attackers to gain access to your passwords, I wouldn't be surprised if this was already fixed before the OS's official release on Oct. 26.

And Microsoft, here's some advice: don't store passwords in plain text files, you dummy.


About the Author

Chris Paoli is the site producer for and

comments powered by Disqus

Reader Comments:

Tue, Oct 30, 2012 James UK

It seems to me that they are not saying that passwords are stored in plain text, it's just using the term "plain text" to refer to classic letter/number passwords as apposed to the new picture passwords. It's hardly a new thing to be fair, I've been hacking local windows accounts for people that have forgotten their passwords for years! All they are saying is W8 is just as susceptible as 7/vista/xp etc

Thu, Oct 4, 2012

New Flash! It has been discovered that any user with "root" access on all Linux based systems can "swipe the [hashed] password file". Security experts everywhere are wondering what the fuss is...

Thu, Oct 4, 2012 Kevin

The problem with the above article is this statement: "any user of the PC with the Administrator privileges" By definition Administrative users cannot be limited on windows systems. It is akin to giving someone a key to your house and telling them they can't climb in a window. If they are already an Administrator, they can simply change any passwords stored on the system. On top of that, the "plain text" password file stores the password in encrypted form. So, a user would not only have to be an Admin to access the file, but also go through a decryption routine to decrypt the password? Doesn't seem as straight-forward as you make it seem. Although exposing stored user passwords is of concern for other reasons, the real answer is hardening the system against rouge Admin users. If bitlocker and safe boot are enabled, gaining that type of access becomes much more difficult.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.