Monday, November 5, 2012
Windows 8 is the first operating
system from Microsoft to support alternative non-biometric authentication
mechanisms such as Picture Password and PIN. A vulnerability discovered by
a password security vendor - "Passcape" in Microsoft’s Windows 8
operating system that it saves a log on password in plain text and allows any
user with admin rights to see the password details.
In September, though, some drawbacks
of the new authentication method were reported by Passcape Software. The picture password had seemed invulnerable,
because whoever tries to guess it must know how and what parts of the image to
choose, and in addition, the gesture sequence. However, security experts from
Passcape discovered that such a unique password is based on a regular account.
A user should first create a regular
password-based account and then optionally switch to the picture password or
PIN authentication. Notably, the original plain-text password to the account is
still stored in the system encrypted with the AES algorithm, in a Vault
storage at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.
"Briefly, Vault can be
described as a protected storage for user's private data. Windows Vault emerged
with the release of Windows 7 and could store various network passwords. In
Windows 8, Vault has extended its functionality; it has become a more universal
storage but at the same time lost its compatibility with the previous versions.
Thus, the 'old' Vault implements a custom password protection. While in Windows
8, it seems, this feature is frozen and it uses DPAPI-based protection only.
Windows Vault is used by other applications as well. For example, Internet
Explorer 10 uses it to store passwords to websites." described by researchers.
Any local user with Admin privileges
can decrypt the text passwords of all users whose accounts were set to a PIN or
picture password. In this regard, the picture/PIN login cannot be considered
the sole reliable means of ensuring data security against cracking.
Experts warned that users should not
only rely on the security of the picture password. It is difficult to break,
they agreed, but it is necessary to take additional measures to protect the
original text password.
I visited various sites but the audio feature for audio songs existing at this website is actually superb.
ReplyDeleteLook at my blog post Time Warner Cable Cincinnati