When we published our first article about the Credential Manager, some of you wanted to know how secure is the data stored inside. Can it be easily cracked? We made a few tests and we managed to identify which Windows Vault passwords can be easily cracked and which not. Read more for details.
The Tool Used for Cracking Passwords - Network Password Recovery
When you run it, it shows for each entry in the Credential Manager, its name, type, the username and password used, when it was last written, its alias and the password strength.
What Passwords Are (In)Secure?
The good news is that some passwords are safe and cannot be decrypted. The bad news is that there are more insecure passwords than secure ones.
What passwords are secure? First, the password used by your Homegroup is properly encrypted and cannot be easily identified. Second, are the credentials used for "virtualapp/didlogical", we covered in the previous article: Credential Manager - Where Windows Stores Passwords & Other Login Details.
The bad thing though is that other log-in credentials you ask Windows 7 to remember so that you access shared folders on your network are not secure. They can all be easily read and then the other network computers accessed by unwanted guests who cracked the Credential Manager data on your computer. Therefore, if you have a home network, I highly recommend you to use only the Homegroup feature for sharing folders and devices. Do not share folders using the old ways you’ve grown accustomed to from Windows XP.
The most worrisome aspect is that my Windows Live ID password was not secure. Network Password Recovery was able to easily read it. If an unauthorized program or person is able to read it, it will immediately have access to all the Windows Live services I am using. And there are a whole lot of Windows Live Services they would get access to, including Xbox Live which stores financial data for purchasing games on Xbox.
I hope this will be changed at least in the final version of Windows 8, since the Windows Live ID will be so central to the whole computing experience. I have tested the Developer Preview of Windows 8 and unfortunately the details of your Windows Live ID are as insecure as in Windows 7. UPDATE: In later updates created for Windows 8 Consumer Preview, this problem no longer exists. It is great to see this improvement in Windows 8.
What Next - Security Recommendations that Will Help?
Considering that most of the information stored in the Credential Manager is insecure, what can you do about it?
First of all, use a strong log-on password for your Windows users accounts. This will make it harder to be cracked with tools that can be easily found on the Internet.
The second piece of advice is to always keep UAC turned on. Also, make sure you have a good security solution installed on your computer. This way, you have a high chance of not getting your computer infected by unwanted malware that aims to steal your personal data.
Third, in case your computer gets stolen, the only real solution to not have it easily cracked is to encrypt it using a solution such as BitLocker or something similar.
Last but not least, if you want to give access to your computer to other people, don’t let them use your user account. Create a separate (non-administrator) account for them, or turn on the standard Guest account. Do not give them access to your administrator account.
Since the data stored in the Credential Manager varies from user to user, it would be good to know: what other passwords do you have stored in the Credential Manager? Which of them are insecure?
Use the Network Password Recovery - make sure you download the appropriate version (32-bit or 64-bit) - and identify the credentials that can be easily cracked and share them with the other readers.
NOTE: Some security products will identify Network Password Recovery as a HackTool, which is entirely true. However, there is no need to worry. It is safe to use it, you won't get your computer infected. You will only be able to hack the passwords stored in the Windows Vault.