Recently a group of researchers described a scenario wherein password recovery questions were used to break into Windows 10 PCs. This has led to some suggesting disabling the feature. But you don’t need to do this if you’re a home computer user.
So, What’s Going on Here?
As Ars Technica first reported, Windows 10 has added the option to set password recovery questions on local accounts in the past year. Security researchers delved into this and discovered that on a business network this could lead to potential vulnerability.
Right off the bat, you can spot two important points there:
- First, the entire scenario relies on computers joined to a domain network—the kind you’d find on a business network with managed computers.
- Second, the vulnerability applies to local accounts. That’s particularly interesting because if your PC is part of a domain, you’re almost certainly using a centralized domain user account and not a local account. And security questions are not allowed on domain accounts by default.
There’s also a third point that’s even more important. All of this requires the malicious actor first to gain administrator-level access on the network. From there, they could then identify machines connected to the network that still have local accounts and then add security questions to those accounts.
Why bother?
The idea is that if admins discover and revoke the malicious actor’s access, subsequently changing all the passwords, the actor could, in theory, make their way back into the network to these machines and use their custom questions to reset those passwords and regain full access.
The researchers suggested they could also use a hashing tool to determine the previous password, and then restore the old password to hide their access. The trouble here is that most domains networks don’t allow reused passwords by default.