Is it true that Windows 7 or 8 user account password is a joke?

dc2000

New member
Member
VIP
Local time
12:22 PM
Messages
153
I was under impression that the user account password security in Windows 7 or Windows 8 has been improved by Microsoft since the old days of Windows XP, and that it is now virtually impossible to bypass it... well, I thought so until I read this, or watched this.

Can someone confirm or deny that it is that easy to bypass someone's Windows user account password? If so, why even setting it up? It just makes life more complicated...

Also a follow-up question. If I use something like disc encryption (TrueCrypt), or Microsoft's own BitLocker, will it be as easy to get into my data too?
 

My Computer My Computer

At a glance

Windows
OS
Windows
dc2000, nothing is 100% safe
 

My Computer My Computer

At a glance

Windows 10 Pro X64Intel(R) Core(TM) i5-3570K CPU OC@ 4.5GHZ Turbo8.00 GB DDR3 1600MhzMSI Gaming X GTX 1070
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dude Build
OS
Windows 10 Pro X64
CPU
Intel(R) Core(TM) i5-3570K CPU OC@ 4.5GHZ Turbo
Motherboard
MSI Z77A-G45 Gaming
Memory
8.00 GB DDR3 1600Mhz
Graphics Card(s)
MSI Gaming X GTX 1070
Sound Card
Realtek High Definition
Monitor(s) Displays
Dell S23O9W, HP L1710
Screen Resolution
DELL-1920 x 1080 HP-1280 x1024
Hard Drives
Crucial m4 256 SSD, WD 7200RPM 500GB WD 1TB
PSU
Seasonic X650 GOLD
Case
Zalman Z12
Cooling
Antec Kuhler 920
Keyboard
Logitech
Mouse
MSI DS100 Interceptor
Internet Speed
50 down and 5 up
Antivirus
MSE
Browser
Chrome, IE 11
Other Info
Logitech X-620 Speakers
dc2000, nothing is 100% safe
Well, I agree. But this one is not even 10% safe. I think even my mom can follow those instructions to reset my Windows 8 password :)
 

My Computer My Computer

At a glance

Windows
OS
Windows
Lets cover something. Physical access to a machine, that computer is owned. No amount of security could Microsoft or any other vendor (say Apple) could do to protect it. However, forcibly removing a password from an account has the side effect of destroying access to any encrypted files, which if you do not have a recovery key those files are gone. The encryption is tied to a users password, changing it without going though the proper steps removes the ability to decrypt those files.

The fact of the matter is, users want to have accounts that don't require passwords, this there must be the ability for user account not to have a password. Thus it can be removed by force. There is no way to protect from that. Not that it would matter, if some one has physical access they could just take the HDD out and claim all data that way.

Bitlocker and TrueCrypt HDD encryption are designed to defend against physical access attacks like this.

And no, this is not a security hole or oversight. Being able to wipe out passwords has been easy enough for anyone with administrative power, or physical access. Hell, I've done it a few times at work when a user forgets their password. Few clicks in the User and Group control panel clears their password or change it to whatever.

This "Password reset hack" is not a hack, just script kiddies thinking they are big stuff. Speaking of which, it requires administrative power on the computer to change one file for another. So the attacker must already have access to an account with administrative power. You are on the other side of the air-tight-hatch. I wouldn't even need to do this "hack" to reset your password. They went the long way round.
 

My Computer My Computer

At a glance

Windows 10 Pro (x64)Intel Core i7-3930K (3.2GHz - 4.5GHz)4x Samsung 4GB PC3-12800 DDR3 (16GB 1600MHz)Nvidia Geforce GTX 690
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Alienware Aurora ALX R4
OS
Windows 10 Pro (x64)
CPU
Intel Core i7-3930K (3.2GHz - 4.5GHz)
Motherboard
Alienware Aurora-R4 x79
Memory
4x Samsung 4GB PC3-12800 DDR3 (16GB 1600MHz)
Graphics Card(s)
Nvidia Geforce GTX 690
Sound Card
SteelSeries Siberia Elite
Monitor(s) Displays
Dell UltraSharp U3011
Screen Resolution
2560x1600
Hard Drives
Samsung 850 Pro 256 GB, Seagate 1TB Desktop Hybrid HDD, 2x Western Digital 4TB Green HDD
PSU
875W Some Dell PSU <.<
Case
Alienware Aurora ALX
Cooling
Custom Liquid Cooling (EK CPU & GPU blocks) dual EK 480RAD
Keyboard
Logitech G710+ Mechanical
Mouse
Logitech G700s
Internet Speed
Verizon Fios (50 mbps average)
Other Info
Server: Intel NUC D54250WYK: i5-4250U, 16GB, 256 GB mSATA, Windows Server 2012 R2
Lets cover something. Physical access to a machine, that computer is owned. No amount of security could Microsoft or any other vendor (say Apple) could do to protect it. However, forcibly removing a password from an account has the side effect of destroying access to any encrypted files, which if you do not have a recovery key those files are gone. The encryption is tied to a users password, changing it without going though the proper steps removes the ability to decrypt those files.
OK. Good point. So at least my HDD files encrypted with BitLocked will not be that easily accessible, right?
 

My Computer My Computer

At a glance

Windows
OS
Windows
Backup HDD Image

I'm not sure if this is the right way to phrase this.

If your files are encrypted, it is even more important to keep backup HDD images.

If your files aren't encrypted, there are easy ways to recover your data if there is a Windows OS problem (e.g. use a Live Linux CD/DVD).
 

My Computer My Computer

At a glance

W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, ...AMD Phenom II x6 1100T, 3.3 GHz12GB DDR3 1333 G-Skill (4GB x 2), G-Skill (2G...NVIDIA GeForce GTX 660
Computer type
PC/Desktop
Computer Manufacturer/Model Number
n/a
OS
W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, W10 Pro 1703 VM, #All 64 bit
CPU
AMD Phenom II x6 1100T, 3.3 GHz
Motherboard
ASUS M4A88T-M/USB3 (AM3)
Memory
12GB DDR3 1333 G-Skill (4GB x 2), G-Skill (2GB x 2)
Graphics Card(s)
NVIDIA GeForce GTX 660
Sound Card
Realtek?
Monitor(s) Displays
Samsung S23B350
Screen Resolution
1920x1080
Hard Drives
WD Green 2TB (SATA), WD Green 3TB (SATA), WD Blue 4TB (SATA), WD Blue 6TB (SATA)
PSU
Cooler Master
Case
Antec GX300 Tower
Cooling
3x Antec TRICOOL 120mm Fans
Mouse
Wired Optical
Internet Speed
DSL
Antivirus
Avast
Browser
Pale Moon (64 bit)
Other Info
2018-12-27 Upgraded HDDs
2015-12-10 Upgraded case, graphics card, storage
2015-08-15 Upgraded motherboard & RAM
2015-07-15 Upgraded LM17.1 to LM17.2
The way I view user passwords on Windows, I consider them adequate to keep out the random passerby that might stumble across my computer by accident. Against an actually serious threat though? I don't even consider user passwords as even existing, far more effective to concern myself with stuff like NATs and firewalls against network attacks and encryption against local attacks.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64 SP1Intel Core i7 2700K @ 3.5GHz (TurboBoost disa...16GB (4x4GB) Kingston HyperX DDR3 1600MHz @ 1...Nvidia EVGA GeForce GTX 1060 6GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
N/A (custom-built)
OS
Windows 7 Ultimate x64 SP1
CPU
Intel Core i7 2700K @ 3.5GHz (TurboBoost disabled)
Motherboard
ASUS P8Z68-V/GEN3
Memory
16GB (4x4GB) Kingston HyperX DDR3 1600MHz @ 1333MHz
Graphics Card(s)
Nvidia EVGA GeForce GTX 1060 6GB
Sound Card
Realtek High Definition Audio (motherboard integrated)
Monitor(s) Displays
NEC Multisync EX231W
Screen Resolution
1920x1080 @ 60Hz via DVI-D
Hard Drives
2x Western Digital 1TB SATA3 Caviar Black Internal HDD // 1x WD 500GB USB 3.0 "My Passport Essential" External HDD // 1x WD 1TB USB 3.0 "My Passport Essential" External HDD // 2x WD 2TB USB 3.0 "My Passport Essential" External HDD
PSU
Corsair Professional Series Gold AX850
Case
Antec 300
Cooling
Air-cooling
Keyboard
Steelseries 6Gv2
Mouse
Steelseries Sensei RAW Glossy, Logitech M500
Internet Speed
DSL (AT&T)
Antivirus
Microsoft Security Essentials
Browser
Pale Moon, Mozilla Firefox 12, Opera 12, Chromium, IE9
Other Info
Virtual Machines (VirtualBox):
* Japanese Windows XP Professional SP3
* Japanese Windows 7 Professional SP1
Back
Top