E-Threats Industry News

Windows 8 Stores Logon Passwords in Plain Text

Barely released to manufacturing and the first critical bug in the Windows 8 operating system has been discovered. Expected to reach market Oct. 26h, Windows 8 – Microsoft’s most secure OS to date – already faces issues with the way it stores passwords for local accounts.

The flaw was discovered by the team at Passcape Software, a company that specializes in recovery of forgotten account passwords, while analyzing ways to recover login credentials without brute-forcing the accounts.

Windows 8 is the first operating system from Microsoft to support alternative non-biometric authentication mechanisms such as Picture Password and PIN. To enable either of these authentication mechanisms, the user has to create a regular account with a passphrase, then change the authentication mechanism to the desired one. Before changing it, though, Windows stores a backup copy of the password, encrypted with the AES algorithm, in a Vault storage encrypted with the AES algorithm at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.

“Once the user has switched to a new authentication method, his text password is encrypted using the AES algorithm and saved to protected Vault storage in the folder %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28,” the company detailed in a blog post.  “The text password is not bound to the PIN or picture password; therefore, any user of the PC with the Administrator privileges can easily recover it (the encryption key is protected with system DPAPI).”

UPDATE: The quote from the Passcape blog post has sparked quite some debates here, and clarification is required. When the authentication method is updated, Windows stores a copy of the password in a Vault, a system file that is encrypted using the AES algorithm, but no hashing or other modification is performed on the string.  Any user with administrator privileges can unlock the Vault and access the HEX-code representation of the password stored as UTF-16. This process is called reversible encryption and is not recommend to be used to protect in mission-critical data such as passwords. 

Unlocked vault exposes the plain-text password: super_password. Image courtesy to Passcape.

The good news is that this type of vulnerability can’t be exploited remotely. The bad news is that this Vault is available to all local users, allowing any user in a shared environment to iterate through the stored passwords, decrypt them and, why not, check to see if the victim hasn’t reused the password for social networking accounts, for instance.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.


Click here to post a comment
  • OK, we have different opinions on what plain text is… if it is AES encrypted, then it’s not plain text


    • Adrian is 100% correct. AES is NOT plain-text by any means. Plain-text is what you’re reading in my comment right now. AES is an encryption algorithm, noting the higher key sizes mean a better encryption (of course). That being said, if you have the salt and password than you would be able to decrypt them pretty easily, otherwise, you had better start generating that rainbow table.

      AES is absolutely not plain-text. Get your facts straight, please. This article could mean a huge hit to Windows 8 just by reading the title. Unless the user reading this article has a better understanding in security and encryption algorithm than the author (which actually shouldn’t be too uncommon), they’ll have no clue what you’re talking about and simply assume that Windows 8 is horrible.

      All that being said, given my understanding of the situation, it would make more sense for each account to have its own vault, inaccessible by other users (unless they, maybe, have some sort of account management role of some sort). Besides brute forcing, you shouldn’t have many options available to you to “recover” another account’s password. That’s what “Forgot Password” functionality is for.

      PLEASE UPDATE THIS ARTICLE’S TITLE. Its misleading, could possibly be libel, and unprofessionally incompetent. Something like “Windows 8 Encrypted Passwords Available to All Users”. You know, something that actually relates to the article’s contents and isn’t being used to damage Window’s image and/or fish for article views. And… educate yourself next time. You’re supposedly a “security” news source.

      • @Joseph, while your comment makes a lot of sense, this approach literally takes things back in the Windows 2000 era security-wise. I’m administrating about 900 PCs running in multi-user mode and I wouldn’t be too confident about them minding their own business and not peek into others’ passwords. This should make a huge difference over the global perception of an operating system that has added lots of security features to stop malware from booting in advance, but leaves local accounts exposed to others’ arbitrary inspection. Call me a non-expert, but if it is visible to my users with minimum of effort, it makes no sense to me. And yes, looking in the original screenshot at the source of this article, I could read super_password, althoug it’s a UTF-16 HEX string.

        • It is accessible to other users (IF they are admins, which I hope your 900 users are not!), but it is ENCRYTED using AES. So all they’d be seeing is the cypher text, which is useless. They could try brute-forcing it, but they’d have an adventure ahead of them!

          • That’s so reassuring, so my password will end up known only by other admins, right, just like the security protocols say. Unless you’re here for trolling, I think that you’re either not grasping the seriousness of other administrators seeing your account password or you haven’t seen the screenshot at Passcape, which reveals the hex representation of the plain-text password.

  • Actually, it’s like something was lost in transcript. There are some security flaws regarding Windows credentials being stored, Windows8 just follows the exact path of its predecesors.

    Loredana, please get all (or none) of the blog post content in here, rather than just copy-paste some of the info in your news bulletins


    • @Adrian: I beg to differ. You said that Windows 8 follows the path of its predecessors. Unless I’ve been away for some Windows versions, I don’t remember to have seen any authentication mechanism other than biometric, smartcard and password in any previous version.

      As for encryption, the vault may be AES encrypted, but if the key is readily available in the registry, I really don’t see a challenge to pull it out. It’s like me posting my password in this message. To any sane user DPAPI-based protection SHOULD prevent any user from getting to the secret. Otherwise “encryption” is another buzzword to pass some security certification.

      • The cyphertext is NOT the secret. Yes, it is bad practice to allow any other users access even to the encrypted version of the password, but it is not nearly so bad as you make it sound. It is NOTHING like you posting your password in this message! For instance, my password, encrypted with an AES key (which you don’t have), is A138F2849DB2435977D32CC3822A2E8893. Good luck making any use of that!

  • Plain text?????? Loredana – you mention multiple times in your article that “the password is encrypted using the AES algorithm” – that’s not plain text. This may be a security flaw (being the fact that any local account can decrypt them) but they are NOT stored in plain text. Horrible title to an otherwise well articulated article. Is the title meant to entice more clicks? For shame.

  • Windows 8 stores passwords in plain text, that’s beyond doubt. To the people here arguing about that: if you note your password on a post-it and stick it on your fridge, then lock the kitchen door, is the password encrypted? No, it’s still plain text password protected by a lock. What is not plain-text: a hashed version of the password with a irreversible algorithm (MD4, MD5, SHA1, SHA256). That is how passwords were supposed to be stored.

    To all windows fanboys mentioning lawsuits and libel – that doesn’t help. There is no reason to downplay the importance of Passcape’s discovery, not if you want to see it fixed anywhere earlier than Windows 20. Let the media write about it, maybe M$ will come to their senses and fix a security model that has been utterly stupid for the past decade.

    • “Encrypted” does not equal “plain text.” It’s utter nonsense to say it does. “Plain text” is the input to an encryption algorithm. The output, which is what Win8 stores, is the cypher text.

      An accurate headline would be “Windows 8 stores passwords using reversible encryption,” which, as you point out, is not a best practice in system design; a non-reversible hash should be used instead. However, this accurate headline would not be as sensational-sounding. But you can’t simply equivocate between plain text and cypher text just because you think they’re not doing it the way they should.

      • Yeah, how can anyone say that. Especially as the vault does not have the required .txt extension to be true plain-text.

  • Ah, I see the article has been updated to clarify what is happening: it’s not that the password is encrypted with AES and THEN put in the “vault” (as the article first described the process), rather it’s just put into the vault as-is and encrypted along with the rest of the vault contents. All local admins and the system account have access to the de-crypted contents of the vault. Given this clarification, this practice is much more obviously problematic than it first appeared.

    Clearly Microsoft just bolted on this other authentication via “picture and PIN” over top of regular authentication. If the user chooses the right picture and inputs the correct PIN, the system de-crypts the user’s stored passphrase and presents that to the underlying authentication mechanism (i.e. the “real authentication mechanism.”) So this new feature is a half-baked kludge.

  • Not that it matters when most users use maybe 4 to 5 character password that describes their profession, their nickname or their dog’s name anyway.

    The added benefit of this flawed process used by many a nom is it doesn’t take too long to guess their password so I can repair whatever they are paying me to repair.
    Actually providing me with the password in the first place would help, but who ever listens to the security expert/tech guy anyway?

  • Jeez, you ignorant fools. Windows NEEDS to store the password somewhere, because the domain controller will want a text password one way or the other to authenticate a user. Windows needs to be able to read that password to be able to log you in to the domain controller. Whether it’s plain text or encrypted doesn’t really matter. If it were encrypted, it could only be encrypted using a reversible encryption, and the key to that encryption needs to be stored somewhere on the computer. In other words, if it were a reversible encryption, it would only make it a bit harder for an admin to decrypt the password. He/she would only need to find the decryption key for that user and they would be able to read the password. That is called security through obscurity, and it is a bad idea. Oh, and UTF-16 is not ‘encryption’.

    • Hello, Erik. Why are we talking about domain controllers? The issue resides with workgroup computers, not with those entolled in domains. And I also tend to disagree with you about security through obscurity – that’s not security, is a irresponsible act – most of the targets taken down by Anonymous in the past year were secured “by obscurity”, and we all saw the consequences. Forgive me, but when talking about operating systems that may host my private data protected by obscure means, I’d rather pass. There are much better ways of saving a password – although I wouldn’t save it at all in this context, just prompt the user for a new password whenever they want to switch from pin or pattern to text-based password. Just like Android does.

  • The title is obviously wrong but the way those passwords are stored are rather shocking for the latest version of any modern internet-enabled operating system. This takes me back to the old days of Windows 9x, with the lame .pwl files.

    Is this still happening today, 2 months later?