Barely released to manufacturing and the first critical bug in the Windows 8 operating system has been discovered. Expected to reach market Oct. 26h, Windows 8 â€“ Microsoftâ€™s most secure OS to date â€“ already faces issues with the way it stores passwords for local accounts.
The flaw was discovered by the team at Passcape Software, a company that specializes in recovery of forgotten account passwords, while analyzing ways to recover login credentials without brute-forcing the accounts.
Windows 8 is the first operating system from Microsoft to support alternative non-biometric authentication mechanisms such as Picture Password and PIN. To enable either of these authentication mechanisms, the user has to create a regular account with a passphrase, then change the authentication mechanism to the desired one. Before changing it, though, Windows stores a backup copy of the password,
encrypted with the AES algorithm, in a Vault storage encrypted with the AES algorithmÂ at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.
â€œOnce the user has switched to a new authentication method, his text password is encrypted using the AES algorithm and saved to protected Vault storage in the folder %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28,â€ the company detailed in a blog post.Â â€œThe text password is not bound to the PIN or picture password; therefore, any user of the PC with the Administrator privileges can easily recover it (the encryption key is protected with system DPAPI).â€
UPDATE: The quote from the Passcape blog post has sparked quite some debates here, and clarification is required. When the authentication method is updated, Windows stores a copy of the password in a Vault, a system file that is encrypted using the AES algorithm, but no hashing or other modification is performed on the string. Â Any user with administrator privileges can unlock the Vault and access the HEX-code representation of the password stored as UTF-16. This process is called reversible encryption and is not recommend to be used to protect in mission-critical data such as passwords.Â
Unlocked vault exposes the plain-text password: super_password. Image courtesy to Passcape.
The good news is that this type of vulnerability canâ€™t be exploited remotely. The bad news is that this Vault is available to all local users, allowing any user in a shared environment to iterate through the stored passwords, decrypt them and, why not, check to see if the victim hasnâ€™t reused the password for social networking accounts, for instance.