Home > Information > Blog > Show blog article
Show blog article
11.09.2014
Windows Password Recovery v9.8.0
Speed improvement brute-forcing a big list of hashes, animated reports, etc.
14.08.2014
Reset Windows Password v4.2
with SYSKEY password lookup feature
12.08.2014
Windows Password Recovery v9.7.1
Minor improvements and bug fixes
12.08.2014
Wireless Password Recovery v3.3.7
Minor improvements and bug fixes

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows 8 stores logon passwords in plain-text

09:08:25 20.09.2012 posted by Passcape_Admin at 09:08:25 20.09.2012

In one of our previous articles, you could read about ways to recover text passwords in Windows without brute-forcing them, locations in the system where text passwords could reside and tools used for the recovery. It turns out the release of Windows 8 is not without another fly in the ointment either. Our experts have discovered a serious flaw in the two new ways of logging on to the system. We are talking about Picture password and PIN.

The matter is that these two authentication methods are based on a regular user account. In other words, the user must first have created an account with a regular password and then optionally switch to PIN or picture password authentication. Notably that the original plain-text (!) password to the account also remains in the system.

Once the user has switched to a new authentication method, his text password is encrypted using the AES algorithm and saved to protected Vault storage in the following folder:
%SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.
This system folder contains Vault records with SIDs and text passwords of all users with active PIN or picture password authentication. The text password is not bound to the PIN or picture password; therefore, any user of the PC with the Administrator privileges can easily recover it (the encryption key is protected with system DPAPI).

Decrypting plain-text passwords in Windows 8
Pic. 1. Decrypting passwords for all users with active PIN or picture password authentication.

Briefly, Vault can be described as a protected storage for user's private data. Windows Vault emerged with the release of Windows 7 and could store various network passwords. In Windows 8, Vault has extended its functionality; it has become a more universal storage but at the same time lost its compatibility with the previous versions. Thus,  the 'old' Vault implements a custom password protection. While in Windows 8, it seems, this feature is frozen and it uses DPAPI-based protection only. Windows Vault is used by other applications as well. For example, Internet Explorer 10 uses it to store passwords to websites.

Some of our password recovery utilities already implement Windows 8 plain-text password decryption. The upcoming release of Windows Password Recovery is expected to have a full-fledged Vault analyzer and offline decoder.

Picture password and PIN are completely new authentication methods in Windows 8, an attempt to escape from the password-remembering hell. However, use them with caution. If an account is configured for authentication using picture password or PIN, your original plain-text password is stored in the system, and any user with the Administrator privileges can gain access to it.




BlinkList (http://www.blinklist.com) Blogmarks (http://www.blogmarks.net) del.icio.ous (http://del.icio.us) Digg (http://www.digg.com) Facebook (http://www.facebook.com) Folkd (http://www.folkd.com) Furl (http://www.furl.net) Google Bookmarks (http://www.google.com/bookmarks/) Linkarena (http://www.linkarena.com) Livejournal (http://www.livejournal.com) Mister Wong (http://www.mister-wong.com) Newsvine (http://www.newsvine.com) reddit (http://www.reddit.com/) Squidoo (http://www.squidoo.com) Stumble Upon (http://www.stumbleupon.com) Technorati (http://www.technorati.com) Twitter (http://twitter.com/) Webnews (http://www.webnews.de) Yahoo My Web (http://myweb2.search.yahoo.com) Yigg (http://www.yigg.de) 
Rating
Current rating RatingRatingRatingRatingRating
Avarage rating Ø 8.27
Number of votes 11
Your vote Rate this message: 1Rate this message: 2Rate this message: 3Rate this message: 4Rate this message: 5Rate this message: 6Rate this message: 7Rate this message: 8Rate this message: 9Rate this message: 10

Comments

question
posted by 1000ouz at 14:05:10 04.10.2012
Is this DPAPI-base protection not supposed to to prevent access to the shared secret key allowing you to decrypt the password file ? That is suprising to me because DPAPI is not new, that looks like quite basic. Or maybe can you explain a little bit more how you can bypass the DPAPI protection, is it a bug or really just an omission/oblivion in the way DPAPI was designed by Microsoft ?

Thanks
A flaw in your logic
posted by Kevin at 17:31:40 04.10.2012

The problem with the above article is this statement:

"any user of the PC with the Administrator privileges"

By definition Administrative users cannot be limited on windows systems.  It is akin to giving someone a key to your house and telling them they can't climb in a window.  If they are already an Administrator, they can simply change any passwords stored on the system.  On top of that, the "plain text" password file stores the password in encrypted form.

So, a user would not only have to be an Admin to access the file, but also go through a decryption routine to decrypt the password?  Doesn't seem as straight-forward as you make it seem.  Although exposing stored user passwords is of concern for other reasons, the real answer is hardening the system against rouge Admin users.  If bitlocker and safe boot are enabled, gaining that type of access becomes much more difficult.

Passcape_Admin
RE: question
posted by Passcape_Admin at 17:47:37 04.10.2012
Yep, DPAPI user-based protection is not supported to prevent access private data, at least you should supply the user logon password to decrypt it.

While system-DPAPI protection (one that's used in the Vault) can be bypassed by extracting and decrypting system secret from SECURITY registry. The decrypted system secret is then can be used to decode the DPAPI protected data.

I'll try to give more details in one of upcoming posts.
Passcape_Admin
RE: A flaw in your logic
posted by Passcape_Admin at 18:14:10 04.10.2012
By definition Administrative users should not have access to other user's private data. That's what DPAPI has been invented for.

The problem is that Microsoft claims they do not store any plain-text passwords. But the do store. And that's look like the good old Window 2000 when you din't have even to provide user password to decrypt his/her DPAPI secret data, EFS encrypted files, etc. Why make the same mistakes?

You can use many solutions to stop gaining offline access to your plaintext password. But once logged in, you can still extract it even if you have no Admin privileges.

They should change the logic and make the plaintext password depent on picture password (or PIN). Otherwise it is simply a toy. That's what I meant.
Title is Misleading
posted by Logan Wolfe at 19:54:30 12.10.2012
All other issues aside, if a string was stored "encrypted" it isn't stored as "plain text".

My goodness. And you guys claim to be in Security?!
Administrator owns the box, This is not a new concern
posted by geek boy at 22:41:05 12.10.2012

All bets are off when a user is an admin.Rogue Admins can installl any malware, including key loggers

Windows 8 - fuc.ing sh.t
posted by Ivan at 08:24:47 13.10.2012
 I`ll never install this s**t on my computer. Microsoft - asshole.
Passcape_Admin
RE: Title is Misleading
posted by Passcape_Admin at 08:39:25 13.10.2012
Even though the passwords are not stored in plaintext, they can be easily decoded to the original plaintext form. This is called a reversible encryption. The reversible encryption used here is not depent on any additional parameters and can be reversed. Thus the reversible encryption = plaintext. This is just a matter of how you call it.
Windows should not use reversible encryption in that way (Microsoft claims the haven't) or even use a one-way function instead.
Passcape_Admin
RE: Administrator owns the box, This is not a new concern
posted by Passcape_Admin at 08:47:12 13.10.2012
The problem is that:
  • You can decrypt your own plaintext password even if you're not an administrator.
  • An administrator can decode plaintext passwords of any other user whose account was set to require PIN or Picture password)
  • Any user who can get a physical access to PC, for example when booting from a live CD, can decrypt passwords for any user.
Passcape_Admin
RE: Windows 8 - fuc.ing sh.t
posted by Passcape_Admin at 09:05:34 13.10.2012
To err is human. They should pay more attention to security implementation. Details is just a very important thing in security.

By the way, the first implementation of DPAPI had even worse security flaws. Now it is the best password security system I've seen ever. I hope the picture password problems will be fixed soon.
I need to share this NOW!
posted by dario90 at 14:15:45 15.10.2012
I can't find the f*cking tweet button, where the f*ck is it?
Passcape_Admin
RE: I need to share this NOW!
posted by Passcape_Admin at 16:35:23 15.10.2012
Update the page please 
This is mimikatz?
posted by Question at 03:53:21 17.10.2012
This is very similar to mimikatz. What's the difference?
Passcape_Admin
RE: This is mimikatz?
posted by Passcape_Admin at 08:17:04 17.10.2012
No. Mimikatz extracts logon passwords from the memory of the currently logged on user. Once you type in your logon password, is is protected and stored in PC's memory and the system wipes it out upon your exit.

The security problem we described is a bit different. The logon password is encrypted and saved to disk (after the account is switched to PIN or Picture password). So you can decrypt it even without logging on (eg. from unbootable machine).

If you want to protect yourself against Mimikatz-like memory vulnerability, consider tuning up your SYSKEY protection as described in one of our previous blog post.
Add comment

Spamprotection