Windows users have been getting a lot of bad news about their security lately. First, we found out that passwords in Windows 7 and 8 can easily be exploited if password hints are enabled, and now, Russian password-cracking software developer Elcomsoft has found another huge vulnerability.
Turns out that the UPEK Protector Suite's fingerprint reader does the exact opposite of what it's supposed to do—it makes Windows passwords ridiculously easy for anyone with physical access to a computer to get their hands on.
UPEK's fingerprint reader is factory installed on some devices from Dell, Asus, Sony, Toshiba, and at least ten other well-known manufacturers. When it's activated, it replaces the user's password with his or her unique fingerprint, but your Windows login password isn't stored in a very secure way by the software. Basically, it puts the password right in the Windows registry, and not even encrypted—just "barely scrambled."
It's also worth noting that without the fingerprint reader, Windows never stores passwords in its registry unless you have it set up to automatically log in. Even worse is that if you have your computer encrypted, but use the fingerprint scanner, the password to decrypt your data will be stored in the registry, making the encryption pretty much pointless.
If you use UPEK's Protector Suite on your laptop, the best thing you can do is open it up and disable the Windows logon feature. According to Ars Technica, "passwords are stored in the Windows registry even after the Protector Suite software has been deactivated," but the exact location where they're stored in the registry is unknown. You may be able to remove them using a registry editor, which you can learn more about in this tutorial.
Until a fix comes out (assuming it does), make sure the password you create to replace it is as secure as possible. Do you use UPEK's fingerprint reader on your computer? Has anyone had a bad experience?
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.