dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
291
share rss forum feed

avze

join:2013-08-19

Password Hint appearing in Win7 Logon prompt after failed attempt?

Let me just ask you guys here for any concerns or opinions on this.

I just noticed that in the Win7 Logon credientials prompt, after a failed password entry, right below the enter password field, I noticed the Password Hint shown.

Would this be a major security flaw?

Of course, my password hint is NOT my actual password and I cannot imagine someone actually putting the Windows password as the password hint.

But, would this password hint being shown under the password field be a security concern?

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
No more than anything else that could be done with a password hint.

The entire point of a password hint is that it can be shown to someone who does not know the password.

No-one should be putting their actual password in the password hint; it's supposed to be something that would jog your memory while being meaningless to anyone else.

avze

join:2013-08-19
Yeah, like I wrote, it would be the most dumbest thing to put the actual password in the password hint field. That itself is a security concern.

But what about the hint showing up in the Windows logon prompt after even 1 failed password?

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
said by avze:

But what about the hint showing up in the Windows logon prompt after even 1 failed password?

I'm not sure I understand your point.

If you don't show the hint, then what is the purpose of the hint in the first place?


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to avze
Depends on how obvious the hint is. If people can use bad passwords they will also use bad hints. For your personal use it's probably not a problem since you seem to grasp of the potential issue. But for business managed systems I'd disable the hint. There is always at least one person who would be stupid with it.

As for using the password itself as the hint. Have you tried this? If Windows accepts the password as the hint that I would certainly consider to be a flaw.

--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
FWIW, domain-connected computers do not permit a hint.

(No need, either: just ask your domain admin to change your password if you forget it).