That finding was made by two security researchers who've been studying ways to increase the reliability of tools designed to extract Windows registry information.
"In the process of going through one of our test cases on a Windows 8 machine on Saturday, we stumbled across a new key ('UserPasswordHint') that we had not seen before in the SAM database," said vulnerability researcher Jonathan Claudius, who works for Trustwave's SpiderLabs research team, in a blog post. Claudius's co-researcher is Ryan Reynolds, who's in charge of penetration testing services for public accounting and consulting firm Crowe Horwath. "To both of us, this seemed like a rather odd, but intriguing, key that would be cool to explore a bit more 'at some point,'" Claudius said.
[ For more on password security, see 5 Ways To Solve The Password Reset Problem. ]
The research didn't sit for long. "Being the impatient weirdo that I am," Claudius said, he dove in and soon worked out "how to how to extract/decode User Password Hints from the Windows registry." By Tuesday, he'd also updated the "hashdump" module included in the open source Metasploit penetration testing toolkit, enabling it to grab user password hints from Windows 7 and 8 systems. "This seems like it would be very helpful for penetration testers by giving them more insight into what the user's password might be," he said.
The finding builds on the researchers' recent success at overcoming recurring hash corruption problems experienced by registry extraction tools such as Metasploit, Cain and Able, Pwdump, Fgdump, L0phtcrack, Samdump, Creddump, Pwdump5, and Pwdump7. The pair detailed their findings at last month's Black Hat and DEFCON information security conferences in Las Vegas, and said they've been working with the relevant developers to create patches.
So how might Microsoft fix the Windows registry to block user-password-retrieval-hint attacks? Responding to a question posted on a discussion forum, Claudius doesn't necessarily think this information needs to be encrypted, but he didn't provide any specific mitigation strategies.
A Microsoft spokeswoman didn't immediately respond to a request for comment on the vulnerability identified by Claudius and Reynolds, or on potential strategies Windows users could employ to mitigate related attacks.
Claudius did note that the password hints could already have been retrieved using other attack techniques, although not necessarily en masse. "Anyone who has physical access can guess a username and obtain the associated hint on a one-by-one basis," he said. "The focus of my additions [was] to obtain this information remotely as part of a post-exploitation process and steal all the hints on the system."
One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)