updated 8/25/2012 6:15:55 PM ET 2012-08-25T22:15:55

A key called "UserPassWordHint" may be the most obviously named methods of attempt to break into machines that run Windows 7 and 8.

Although the password hints are written in hexadecimal notation and padded out with additional zeros between each letter when they're stored on a computer's hard drive, they aren't really encrypted and can be determined fairly easily using a short script. 

This all came to light when SpiderLabs vulnerability researcher Jonathan Claudius began poking around to see how the new Windows system behaved.

 "I was a little disappointed thinking that the hint was encrypted in some way until I noticed the pattern of zeros," Claudius wrote on the SpiderLabs blog.  

Upon determining a pattern, he "wrote a little decoder in Ruby to see if I could learn this user's password hint."

It worked. The results were rendered into plain text, and Claudius had the eight-line script added to the popular open-source hacking toolkit Metasploit's hash-dump tools.

This all seems very disconcerting, until you realize that password hints are just hints.

Although they could be helpful to a hacker, they're not nearly as precious as the passwords themselves which, fortunately, on Windows are truly encrypted and much more difficult to crack.

Anyone with physical access to a PC can access password hints with the click of a mouse, but until now, password hints were much more difficult to obtain by remote intruders. 

While they could definitely come in handy to a sophisticated hacker, such an intruder would more likely go straight for the password from the start. 

Hints are the territory of jealous boyfriends and prank-pulling siblings who want to snoop through emails or post embarrassing Facebook status updates.

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments