Windows 10 Security Questions Are Not so Secure Afterall

Whenever you set up a new account anywhere, you can create a safety net that can help you recover your password in case you forget it. Any system that requires you to use a password should come with such a safety network. The Windows operating system also has its ways to help you recover your password. Windows 10 comes with the security questions feature, but it has been recently revealed that Windows security questions can be hacked, and so it raised new safety concerns. We will discuss the ways Windows security questions can be hacked, and we will also describe methods how you can disable them.

What Are Windows Security Questions?

Windows Security Questions are a list of default questions you can choose from when you set up your Windows 10 account. These questions are used to provide you with a solution when you forget your Windows password.

The truth is that whenever you create a local Windows 10 account, it is a must to create several security questions. If you forget your Windows password, answering the security questions that you have created in advance should help you reset or restore it. The problem with the security questions is that they are quite obvious. For instance, one of the default questions is “What was your childhood nickname?” If there's anyone who knows you well enough, they might be able to reset the password and take over your account by answering them.

How Can Windows Security Questions Be Hacked?

Magal Baz and Tom Sela, security researchers at Illusive Networks, have found out how it is possible to hack Windows security questions without even executing any kind of code on the machine one wants to hack. Everything lies in the simplicity of the default questions.

Tech-speak aside, the main issue with these security questions that guard Windows password is that they are hardcoded. It means that user cannot enter their own questions, and Microsoft only allows choosing from six default questions in the drop-down menu. As mentioned, one of the questions is about your childhood nickname, and another, for instance, is about your first pet's name.

Anyone who is familiar with the importance of strong passwords would tell you immediately that using names to protect those passwords is a bad idea. A pet name might be even worse because they are far easier to guess.

Although the researchers did point out that the attacker would have to have prior access to the target network to hack Windows security questions, the point is that if they manage to get through your Windows password, the criminals would have an almost absolute presence on the target machine.

So how does that work? Windows password and all the other important passwords of a certain system are stored in the LSA Secrets entry within the Windows registry. Technically, it should be extremely hard to hack into that entry because it is encrypted. However, if the hacker has full access to the registry on the target machine and they know how to collect the artifacts that are necessary to assemble the AES key to unlock the LSA Secrets, it wouldn't be that hard to rewrite all the passwords.

The bottom line is that if someone takes full control of a target system, they can easily bypass the security questions. In fact, some technology experts seriously question Microsoft for still adding security questions to the Windows operating system because they are obviously a liability.

And it's not so much of a problem for an individual user as opposed to corporate users and businesses. According to Magal Baz, once an attacker manages to take control of at least one compromised Windows 10 machine, if that machine is part of a big network that connects multiple machines with administrator privileges, the attacker can easily change security questions across the compromised system. As a result, the modified security questions become system backdoor, allowing hackers to slither into every single machine. So although these questions are supposed to protect user's Windows password, essentially, they are quite a big weakness.

How Do I Remove Windows Security Questions?

Magal Baz and Tom Sela created a PowerShell script that can disable the built-in Windows security questions. On the other hand, if users are not familiar with programming languages, they might not be able to apply this script. Thus, they might need to address a professional programmer to tweak that aspect of their Windows operating system.

Nevertheless, when it comes to computer networks, it might be a good idea to skip creating security questions in the first place, right before setting up new Windows 10 accounts. It would be a lot easier, and you would not need to execute a programming language script.

Skip Security Questions: Method 1

It is possible to not associate security questions with a local Windows 10 account when you create one. You can do it when you are at the Create an account for this PC section. The moment you click on the Windows password field, the Security question options will show up as well. To skip the questions, simply do not create a password for this account and click Next. By leaving these sections blank, you will avoid creating new security questions. As for your account password, you can set it up later on, once the account is already created.

Skip Security Questions: Method 2

Aside from creating a local Windows account, you may also use your Microsoft account to skip Windows security questions. So if you have a Microsoft account, you can do the following:

  1. Use the Microsoft Account credentials to log in.
  2. Open "Settings" and go to "Accounts". Click "Your Info".
  3. Click a link that says "Sign in with a local account instead".
  4. Enter your Microsoft account password.
  5. Set up a new local account password.

If you create a new password this way, it will not have security questions. The methods described are not straightforward, but as long as Windows security questions are hardcoded, it might take some effort to bypass them.

On the other hand, if you do not use the security questions, the possibility of losing your Windows password rises. Thus, we would like to recommend using Cyclonis Password Manager to store your passwords in the manager's Personal Notes section. If you have the tool installed on several devices and the vault is synced, you can look up your passwords on another device even if you cannot access your main computer at the moment. So just because something is default, it doesn't mean you have to use it no matter what.

January 10, 2019