Quick Links

Recently a group of researchers described a scenario wherein password recovery questions were used to break into Windows 10 PCs. This has led to some suggesting disabling the feature. But you don't need to do this if you're a home computer user.

So, What's Going on Here?

As Ars Technica first reported, Windows 10 has added the option to set password recovery questions on local accounts in the past year. Security researchers delved into this and discovered that on a business network this could lead to potential vulnerability.

Right off the bat, you can spot two important points there:

  • First, the entire scenario relies on computers joined to a domain network---the kind you'd find on a business network with managed computers.
  • Second, the vulnerability applies to local accounts. That's particularly interesting because if your PC is part of a domain, you're almost certainly using a centralized domain user account and not a local account. And security questions are not allowed on domain accounts by default.

There's also a third point that's even more important. All of this requires the malicious actor first to gain administrator-level access on the network. From there, they could then identify machines connected to the network that still have local accounts and then add security questions to those accounts.

Why bother?

The idea is that if admins discover and revoke the malicious actor's access, subsequently changing all the passwords, the actor could, in theory, make their way back into the network to these machines and use their custom questions to reset those passwords and regain full access.

The researchers suggested they could also use a hashing tool to determine the previous password, and then restore the old password to hide their access. The trouble here is that most domains networks don't allow reused passwords by default.

When Ars Technica asked Microsoft for comment, the response was short:

The described technique requires an attacker to already possess administrator access

While that might seem obtuse at first, what Microsoft is implying is right, and it brings us to the real crux of the matter. Once a malicious actor has administrative-level access on a network, the potential damage and avenues of attack go far beyond simple password reset tricks. And if a network is robust enough to prevent the malicious actor from ever gaining administrative-level, then all of this is moot.

So, in the end, our malicious attacker would need to gain administrator-level access to a business network that uses a Windows domain, find computers that might have local accounts on them, and then create security questions so that they could get back into those computers if they are discovered and locked out. And we're supposed to be worried about that when their administrator-level access gives them the ability to do so much more harm already.

Got It. So, Does This Apply to Me?

If you're using a Windows 10 computer at home, the short answer is almost certainly not. And here's why:

  • Your home PC is most likely not joined to a domain.
  • Even if it were, you'd have to be using a local account and most people on Windows 10 are probably using a Microsoft account to sign in. This is because Windows 10 requires using a Microsoft Account for many features to work correctly. And while you can take a few extra steps to create a local account instead, Microsoft doesn't make it the most obvious choice. If you are using a Microsoft Account, then you don't have the option to use password reset questions.
  • To take advantage of this, someone would need to have either remote or physical access to your PC. And with that level of access, password reset questions are the least of your worries.

So, the chances are very high that none of this research applies to you. But even if you are using a local account joined to a domain, all of this comes down to an age-old set of questions. How much convenience should you give up in the name of security? Conversely, how much security should you give up in the name of convenience?

In this case, the chances of a bad actor accessing your machine and using security questions to gain full control are incredibly remote. And the chances of forgetting your password and needing the questions are a little higher. Take stock of your situation, and make the best choice for you.