The flaw was discovered by the team at Passcape Software, a company that specializes in recovery of forgotten account passwords, while analyzing ways to recover login credentials without brute-forcing the accounts.
Windows 8 is the first operating system from Microsoft to support alternative non-biometric authentication mechanisms such as Picture Password and PIN. To enable either of these authentication mechanisms, the user has to create a regular account with a passphrase, then change the authentication mechanism to the desired one. Before changing it, though, Windows stores a backup copy of the password, encrypted with the AES algorithm, in a Vault storage at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.
Windows 8 is the first operating system from Microsoft to support alternative non-biometric authentication mechanisms such as Picture Password and PIN. To enable either of these authentication mechanisms, the user has to create a regular account with a passphrase, then change the authentication mechanism to the desired one. Before changing it, though, Windows stores a backup copy of the password, encrypted with the AES algorithm, in a Vault storage at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.
“Once the user has switched to a new authentication method, his text password is encrypted using the AES algorithm and saved to protected Vault storage in the folder %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28,” “The text password is not bound to the PIN or picture password; therefore, any user of the PC with the Administrator privileges can easily recover it (the encryption key is protected with system DPAPI).”
The good news is that this type of vulnerability can’t be exploited remotely. The bad news is that this Vault is available to all local users, allowing any user in a shared environment to iterate through the stored passwords, decrypt them and, why not, check to see if the victim hasn’t reused the password for social networking accounts, for instance.
VINDECODERZ offers comprehensive and reliable VIN decoding services to provide users with detailed vehicle information…
Table of Contents: Key Takeaways Understanding the Impact of Diagnostic Software Electric and Hybrid Vehicles:…
Key Takeaways: Custom trigger kits can offer personalization while potentially improving shooting accuracy and performance.…
Ensuring a vehicle's longevity requires more than just regular servicing; it encompasses a broader approach…
Technological developments in medicine have raised the bar for patient care to an unprecedented degree,…
In the digital era, having a website is essential for businesses, organizations, and individuals alike.…