If You Use Password Hints in Windows 7 or 8, This Hack Could Easily Exploit Them


Earlier this week, Spiderlabs’ vulnerability researcher Jonathan Claudius discovered a key in Windows 7 and 8 registries that makes it easy for anyone with physical or remote access to a computer get a hold of the user’s password hints.

If You Use Password Hints in Windows 7 or 8, This Hack Could Easily Exploit Them

When the “UserPasswordHint” key is read, the hints are displayed as a code that looks encrypted, but Claudius noticed a pattern of zeroes that could be easily translated back to plain text with a decoder he made in Ruby.

If You Use Password Hints in Windows 7 or 8, This Hack Could Easily Exploit Them

He added this functionality to the Metasploit Hashdump tools, which would allow a hacker to “obtain this information remotely as part of a post-exploitation process and steal all the hints on the system.”

If You Use Password Hints in Windows 7 or 8, This Hack Could Easily Exploit Them

As many people have pointed out, it would be easy for anyone with physical access to a system to get the password hints by guessing incorrectly, but this tool allows them to be accessed remotely as well.

Some also argue that password hints aren’t supposed to be secret because they’re designed so that you don’t forget your passwords, but they can still be used much more safely if they’re used a bit more stealthily. The easiest way to protect yourself against this is to make your password hint something that only you would understand, or just use a completely random hint that has nothing to do with the answer. For instance, if the comments on this article are any indication, lots of people use something along the lines of “Get off my computer” as a hint. Obviously, if you go this route, you want to make sure you don’t forget the password yourself.

If You Use Password Hints in Windows 7 or 8, This Hack Could Easily Exploit Them

Image by Channel the Alley

Of course, this would be a non-issue if it weren’t for the fact that Windows requires a password hint on certain operating systems, so unless you don’t password-protect your computer, you have to use them.

So, the lesson here is not to make your password hint something that is easily guessable or can be found by Googling your name. And as always, set a password that’s as secure as possible. If you do forget your password and make up a hint that’s too good even for yourself to crack, here’s how to retrieve it.

How do you use password hints Do you make them easy so you’re covered if you forget, or tough to protect yourself Tell us in the comments.

Cover image by Programming4Us