Microsoft’s Windows OS has yielded a reputation as being something of a magnet when it comes to malicious software and security threats in general, so the news that your login password could be pretty easy for an unscrupulous individual to find is, rather than being surprising, something of a disappointment.
Windows 8 is gathering much steam ahead of its imminent release in the latter stages of October, but for those running that or its predecessor, Windows 7 (or even Windows 8), your account might not be as secure as you perhaps presumed it to be.
Of course, not everybody password-locks their Windows account, and if you in fact do not, then there’s little cause for alarm. However, those that do might find the manner in which Windows stores password hints to be a little disconcerting. At present, it would be very easy for a remote user to decrypt your password hint, which in turn leaves shortens the odds that they’ll be able to guess your password.
According to a post over at ArsTechnica, Windows keeps your password hints in its registry, locked away in scrambled form, although this foreign jumble of characters can easily be converted into something easy to read.
The flaw was discovered by Jonathan Claudius of SpiderLabs, who posted an automated script before adding it to a site by the name of Metasploit, said to specialize in Penetration Testing Software. "Although this stuff looked a bit unreadable on the surface," he explained, "we can now see that it can clearly be decoded and could be used by tools that extract the information from the SAM."
It’s worth pointing out that the user’s password is not decrypted using these methods, but for the forgetful folk who like to prompt themselves with a telling hint, this particular vulnerability does, naturally, make password guessing that little bit easier.
Microsoft hasn’t commented on the vulnerability, although with Windows 8 not too far away, the software maker can ill-afford such negative press – particularly with regards to privacy and security. It’s the kind of story that prompts users to grab their pitchforks and march in collective anger, so we’ll obviously keep you update as and when Microsoft comes through with the fix.