Picture Passwords allow users to log in to Windows 8 accounts without entering a passcode.

New features designed to make it easier to log into Windows 8 accounts allow encrypted passwords to be converted into plaintext in some cases, security researchers said.

The features, which allow people to sign in with a picture-based password and four-digit personal identification number, are intended to provide a less-cumbersome alternative to entering a password each time users want to access their account. Once people have set up a password for an account, they can use pictures or PINs to log in from then on.

But the added convenience comes at a cost. According to security experts who have tested the features in developer pre-releases of the upcoming Microsoft operation system, the features cause Windows 8 to store passwords using encryption that can be reversed. Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives. The latest version of Windows Password Recovery, a password-cracking package sold by Russia-based Passcape Software, claims to do just that.

Read 7 remaining paragraphs | Comments

via Ars Technica » Technology Lab http://feeds.arstechnica.com/~r/arstechnica/technology-lab/~3/LIvpD0YDAJU/

Advertisements