Filtered by: Scitech
SciTech

Windows 8 security risk? Passwords stored in plain text


With less than two weeks before it hits store shelves, Microsoft's newest operating system Windows 8 has already been found to have a potential security problem: it stores passwords in plain text.
 
Password recovery software maker Passcape noted this may be the basis of a "serious flaw" in the two new ways of logging on to the system, Picture password and PIN.
 
"The matter is that these two authentication methods are based on a regular user account. In other words, the user must first have created an account with a regular password and then optionally switch to PIN or picture password authentication. Notably that the original plain-text (!) password to the account also remains in the system," it said.
 
It said that once a user has switched to a new authentication method, his or her text password is encrypted using the AES algorithm and saved to protected Vault storage in a Windows System folder.
 
The system folder contains Vault records with SIDs and text passwords of all users with active PIN or picture password authentication.
 
However, the text password is not bound to the PIN or picture password, it said.
 
"(T)herefore, any user of the PC with the Administrator privileges can easily recover it (the encryption key is protected with system DPAPI)," it said. Windows 8 enhancement
 
Passcape said Windows Vault, which emerged with Windows 7 and could store network passwords, has been enhanced in Windows 8 as a more universal storage, though is no longer compatible with previous versions.
 
It added Windows Vault is used by other applications as well, such as Internet Explorer 10.
 
"Thus, the 'old' Vault implements a custom password protection. While in Windows 8, it seems, this feature is frozen and it uses DPAPI-based protection only," it said.
 
Picture password and PIN
 
Passcape advised Windows 8 users to use Picture password and PIN, which are new authentication methods, to use them with caution.
 
"If an account is configured for authentication using picture password or PIN, your original plain-text password is stored in the system, and any user with the Administrator privileges can gain access to it," it said. — TJD, GMA News