An embarrassing security lapse by Microsoft.
ArsTechnica is reporting an astonishing security lapse by Microsoft in both Windows 7 and Windows 8 which exposes your password hint with a little code.
The password hint is the additional line of text you can type in to remind you of your real password. It can be helpful to anyone trying to access your computer if the reminder is too obvious. If a hacker guesses your password from the easily found hint then all your computer is available to them.
It turns out that the password hint is stored in the registry using a very simple encryption. Finding the user names and password hints for any user on a Windows 7/8 computer is ridiculously easy for a hacker. The trick exposes all the user names and password hints saved on that computer.
The technique doesn’t even need physical access to the computer, just remote access.
Doubtless Microsoft will come out with the usual weasel words about how the password hint doesn’t reveal the password itself and other lame excuses. Or they may try the “Problem? What Problem?” denial while scrambling to create a fix.
This is a major embarrassment for Microsoft. For the last few years we’ve been told how Microsoft takes security seriously and that all design decisions go through special ‘Softies to consider the security implications.
Despite all that, an important piece of security for any user is left with trivial encryption that can be revealed with some simple and publicly available code. Shame on Microsoft.
What you can do
No need to panic, there’s no indication that hackers are widely using this technique but it’s only a matter of time before they do. This hack only applies to the password hint – not the password itself.
But until Microsoft fixes this embarrassing breach it’s best to check your password hint.
Make sure the password hint is something that makes sense to you but not anyone else.
A good password reminder would be “My 5th Grade English Teacher” that few people will know. A bad password reminder would be “Homer and Marge’s only son” – that most people with a TV can answer.
Another option is a misleading password hint like ‘My local cafe’ but the password is really the café owners name, not the café.
Or leave the password hint blank if you’re absolutely sure you will never need a reminder. (Hint – most of us will!)
Change the Windows password hint from Control Panel | User Accounts | Change your password | type and confirm the new password (or retype the existing one) | you can then change the password hint.