How to Secure Your Microsoft Account by Disabling the Password Recovery Questions on Windows 10
Did you know that password recovery questions have been implemented into Windows 10 for more than one year now? Probably not if you sign into your Windows 10 machine using a Microsoft account. However, if you use a local account when you're first installing Windows 10 and you will be asked to create three security questions that you can use to reset your password if you happen to forget it.
Quite handy, right? However, security questions, while very convenient, are not very good for security. The problem is a hacker could easily guess your questions if they're something obvious like your pet's name or your mom's birthday, especially if they know you. Even worse, they could create their own security questions and use them as a back door into your system. That really sucks as there's no apparent way to turn off the security questions.
How can I disable the recovery questions then?
A group of security experts discussed this possibility during the Black Hat Europe Security Conference.
"The problem, the researchers said, is that the password reset questions are too easy to set and too hard to monitor in networks made up of hundreds or thousands of computers. A single person with administrator credentials can remotely turn them on or change them on any Windows 10 machine and there's no simple way for the changes to be monitored or changed. As a result, malicious users—say a rogue employee or a hacker who briefly gains unauthorized administrative control—can use the security questions as a backdoor that will secretly allow them to regain control should they ever lose it." - As per the news site Ars Technica.
These researchers, Magal Baz and Tom Sela, working for Illusive Networks, devised a fix to this issue with a quick PowerShell script you can use to turn off Windows' built-in password recovery questions for good. All you have to do is download the .ps1 file, open Powershell from within your Windows 10 OS, find the folder that contains the .ps1 file, and enter the following line to disable the recovery questions:
By entering this command a pop-up error message will be displayed if you try to press the "Reset password" option at the Windows 10 login screen.
If you still want to have the option of using password recovery questions, but you want to hide the fact that it still works, use this line instead:
"Update-AllUsersQA -answer SecretAnswer"
Note: replace "SecretAnswer" with your own recovery answer. Make sure it's something you can remember but not easy to guess.
You will still see the same warning that says "This feature is disabled" when you attempt to reset your password, but you can just ignore it.