Windows 8 Picture-Password Mechanism Still Flawed Claims Passcape

Password recovery software maker, Passcape Software, has reported the problem on its blog and has asked users to be cautious while using the authentication mechanism when the operating system is released publicly later this month.

In Windows 8, Microsoft has implemented a graphical login mechanism whereby users can select an image from the gallery of photos and set gestures which appear over the image. Developers are already testing this feature in the pre-release version of the operating system and this authentication mechanism seems to be invulnerable up until now as whoever tries to hack his / her way through the authentication system needs to know the image to select, the part within the image and the gesture sequence.

Passcape has revealed that before using this authentication mechanism a user needs to create a regular password-based account and then switch over to picture password or pin based authentication, which is optional. The original plain-text password is still stored on the system. If a user switches over to the new authentication mechanism, the password is encrypted using AES algorithm and saved in a protected vault in one of the system folders.

The problem here, according to Passcape, is that any local user with Admin privileges can decrypt the text passwords of all users whose accounts were set to a PIN or picture password. There are basically three problems as described by Passcape: 1) You can decrypt your own plaintext password even if you’re not an administrator; 2) An administrator can decode plaintext passwords of any other user whose account was set to require PIN or Picture password) and 3) Any user who can get a physical access to PC, for example when booting from a live CD, can decrypt passwords for any user.