Filtered by: Scitech
SciTech
Windows 8 security risk? Passwords stored in plain text
With less than two weeks before it hits store shelves, Microsoft's newest operating system Windows 8 has already been found to have a potential security problem: it stores passwords in plain text.
Password recovery software maker Passcape noted this may be the basis of a "serious flaw" in the two new ways of logging on to the system, Picture password and PIN.
"The matter is that these two authentication methods are based on a regular user account. In other words, the user must first have created an account with a regular password and then optionally switch to PIN or picture password authentication. Notably that the original plain-text (!) password to the account also remains in the system," it said.
It said that once a user has switched to a new authentication method, his or her text password is encrypted using the AES algorithm and saved to protected Vault storage in a Windows System folder.
The system folder contains Vault records with SIDs and text passwords of all users with active PIN or picture password authentication.
However, the text password is not bound to the PIN or picture password, it said.
"(T)herefore, any user of the PC with the Administrator privileges can easily recover it (the encryption key is protected with system DPAPI)," it said. Windows 8 enhancement
Passcape said Windows Vault, which emerged with Windows 7 and could store network passwords, has been enhanced in Windows 8 as a more universal storage, though is no longer compatible with previous versions.
It added Windows Vault is used by other applications as well, such as Internet Explorer 10.
"Thus, the 'old' Vault implements a custom password protection. While in Windows 8, it seems, this feature is frozen and it uses DPAPI-based protection only," it said.
Picture password and PIN
Passcape advised Windows 8 users to use Picture password and PIN, which are new authentication methods, to use them with caution.
"If an account is configured for authentication using picture password or PIN, your original plain-text password is stored in the system, and any user with the Administrator privileges can gain access to it," it said. — TJD, GMA News
Find out your candidates' profile
Find the latest news
Find out individual candidate platforms
Choose your candidates and print out your selection.
Voter Demographics
More Videos
Most Popular