A key called "UserPassWordHint" may be the most obviously named methods of attempt to break into machines that run Windows 7 and 8.
Although the password hints are hashed with additional zeros, they aren't encrypted, and can be determined fairly easily using a short script.
This all came to light when SpiderLabs vulnerability researcher Jonathan Claudius began poking around to see how the new Windows system behaved.
"I was a little disappointed thinking that the hint was encrypted in some way until I noticed the pattern of zeros," Claudius wrote on the SpiderLabs blog. Upon determining a pattern, however, he "wrote a little decoder in Ruby to see if I could learn this user’s password hint."
It worked. Although still unreadable, Claudius had the eight-line script added to the popular open source Metasploit tool kit's hash dump tools. The lightly encrypted results were then decrypted into plain text.
This all seems very disconcerting, until you realize that they're just hints.
Although they could be helpful to a hacker, they're not nearly as precious as the passwords themselves which, fortunately, are much more difficult to crack.
Anyone with physical access to a PC can access password hints with the click of a mouse, but until now, password hints were much more difficult to obtain by remote intruders. While they could definitely come in handy to a sophisticated hacker, they'd likely go straight for the password from the start. Hints are the territory of jealous boyfriends and prank-pulling siblings who want to snoop through emails or post embarrassing Facebook statuses.
Article provided by SecurityNewsDaily, a sister site to Laptopmag.com.