Password hints for Microsoft’s Windows 7 and 8 are stored in the operating system registry in a scrambled format that can easily convert into human-readable form.
That information could be useful to hackers who intercept a cryptographic hash of a targeted computer, but are unable to crack it.
Jonathan Claudius, the SpiderLabs vulnerability researcher who documented the new Windows behavior, wrote a script that automates the attack and added it to Metasploit.
The clue adds into the OS registry when users configure a Windows account to provide a hint about the password needed to access it. When he first saw the long string of letters and numbers that stored the hint, he thought there was an encryption process. Upon further examination, he said an eight-line Ruby script quickly decoded the text chunks.
“Although this stuff looked a bit unreadable on the surface we can now see that it can clearly be decoded and could be used by tools that extract the information from the SAM,” he said, referring to the “security accounts manager” section of the registry. “This seems like it would be very helpful for penetration testers by giving them more insight into what the user’s password might be, so I decided to take it one step further.”
The hints are available to anyone who has physical access to a targeted PC, as Microsoft makes clear during the configuration or modification of a Windows account.
Until now, those hints provided no help to hackers who use a drive-by website exploit or other similar attack to extract only the underlying password hashes. And that’s where techniques like these come in. By revealing the password hint the user selected when creating the account, it could provide valuable clues such as “My favorite color” or “My first car” that make all the difference.