Windows 10 Security Questions Are Not so Secure Afterall

Whenever you set up a new account anywhere, you can create a safety net that can help you recover your password in case you forget it. Any system that requires you to use a password should come with such a safety network. The Windows operating system also has its ways to help you recover your password. Windows 10 comes with the security questions feature, but it has been recently revealed that Windows security questions can be hacked, and so it raised new safety concerns. We will discuss the ways Windows security questions can be hacked, and we will also describe methods how you can disable them.

What Are Windows Security Questions?

Windows Security Questions are a list of default questions you can choose from when you set up your Windows 10 account. These questions are used to provide you with a solution when you forget your Windows password.

The truth is that whenever you create a local Windows 10 account, it is a must to create several security questions. If you forget your Windows password, answering the security questions that you have created in advance should help you reset or restore it. The problem with the security questions is that they are quite obvious. For instance, one of the default questions is “What was your childhood nickname?” If there's anyone who knows you well enough, they might be able to reset the password and take over your account by answering them.

How Can Windows Security Questions Be Hacked?

Magal Baz and Tom Sela, security researchers at Illusive Networks, have found out how it is possible to hack Windows security questions without even executing any kind of code on the machine one wants to hack. Everything lies in the simplicity of the default questions.

Tech-speak aside, the main issue with these security questions that guard Windows password is that they are hardcoded. It means that user cannot enter their own questions, and Microsoft only allows choosing from six default questions in the drop-down menu. As mentioned, one of the questions is about your childhood nickname, and another, for instance, is about your first pet's name.

Anyone who is familiar with the importance of strong passwords would tell you immediately that using names to protect those passwords is a bad idea. A pet name might be even worse because they are far easier to guess.

Although the researchers did point out that the attacker would have to have prior access to the target network to hack Windows security questions, the point is that if they manage to get through your Windows password, the criminals would have an almost absolute presence on the target machine.

So how does that work? Windows password and all the other important passwords of a certain system are stored in the LSA Secrets entry within the Windows registry. Technically, it should be extremely hard to hack into that entry because it is encrypted. However, if the hacker has full access to the registry on the target machine and they know how to collect the artifacts that are necessary to assemble the AES key to unlock the LSA Secrets, it wouldn't be that hard to rewrite all the passwords.

The bottom line is that if someone takes full control of a target system, they can easily bypass the security questions. In fact, some technology experts seriously question Microsoft for still adding security questions to the Windows operating system because they are obviously a liability.

And it's not so much of a problem for an individual user as opposed to corporate users and businesses. According to Magal Baz, once an attacker manages to take control of at least one compromised Windows 10 machine, if that machine is part of a big network that connects multiple machines with administrator privileges, the attacker can easily change security questions across the compromised system. As a result, the modified security questions become system backdoor, allowing hackers to slither into every single machine. So although these questions are supposed to protect user's Windows password, essentially, they are quite a big weakness.

How Do I Remove Windows Security Questions?

Magal Baz and Tom Sela created a PowerShell script that can disable the built-in Windows security questions. On the other hand, if users are not familiar with programming languages, they might not be able to apply this script. Thus, they might need to address a professional programmer to tweak that aspect of their Windows operating system.

Nevertheless, when it comes to computer networks, it might be a good idea to skip creating security questions in the first place, right before setting up new Windows 10 accounts. It would be a lot easier, and you would not need to execute a programming language script.

Skip Security Questions: Method 1

It is possible to not associate security questions with a local Windows 10 account when you create one. You can do it when you are at the Create an account for this PC section. The moment you click on the Windows password field, the Security question options will show up as well. To skip the questions, simply do not create a password for this account and click Next. By leaving these sections blank, you will avoid creating new security questions. As for your account password, you can set it up later on, once the account is already created.

Skip Security Questions: Method 2

Aside from creating a local Windows account, you may also use your Microsoft account to skip Windows security questions. So if you have a Microsoft account, you can do the following:

  1. Use the Microsoft Account credentials to log in.
  2. Open "Settings" and go to "Accounts". Click "Your Info".
  3. Click a link that says "Sign in with a local account instead".
  4. Enter your Microsoft account password.
  5. Set up a new local account password.

If you create a new password this way, it will not have security questions. The methods described are not straightforward, but as long as Windows security questions are hardcoded, it might take some effort to bypass them.

On the other hand, if you do not use the security questions, the possibility of losing your Windows password rises. Thus, we would like to recommend using Cyclonis Password Manager to store your passwords in the manager's Personal Notes section. If you have the tool installed on several devices and the vault is synced, you can look up your passwords on another device even if you cannot access your main computer at the moment. So just because something is default, it doesn't mean you have to use it no matter what.

By Foley
January 10, 2019
Password Security
English
January 10, 2019
Password Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Tips

How to Handle Login/Password Security Questions

Security questions, also known as secret questions, are arguably among the worst backup authentication and account recovery mechanisms you can possibly see at the moment. In the past they did work, but right now, they... Read more

March 14, 2018
Password Security

How Secure Is Your Password When It’s Stored in the Cloud?

We designed Cyclonis Password Manager to allow users to store their data on the Internet and access it from multiple devices. Does this mean that you'll be more vulnerable to having your accounts stolen? No, it... Read more

April 24, 2018
Tips

7 Big Security Mistakes People Make Every Day

Even though the awareness of how to stay safe online is increasing, there are still some users who endanger their privacy every day without even realizing it. Unfortunately, most hackers are after any information they... Read more

August 21, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.