Security and passwords: an anti-pattern found in current Windows

The two most important principles of security are to resist entry, and call for help so that the time bought by the resistance allows for a meaningful response. This is true of physical and computer security.

Shockingly, this proof of concept shows that the Windows LoginW API does neither: it allows even the guest account to attempt an unthrottled number of bad password attempts. As the notes say, even on a small machine, this is over 10,000 attempts per second, on one thread.

This means that any other security hole that allows code to execute on the machine does not require an account to attempt to run the entire dictionary of known or extrapolated passwords in seconds, and can brute force any password by systematically walking through all passwords if undisturbed.

This is an epic failure. Yes, if throttling is put in place, it needs to be done thoughtfully (to avoid a denial of service attack where a bad actor locks legitimate users out) but this is truly disgraceful. The guest account should progressively delay subsequent attempts to make this is feasible, and the guest account should time out with a suitable message that it is due to an attempted break-in.

In addition: where is the security alert?

In the bigger picture, this is why leadership has to teach the why of design, including security. And why we all have to keep alert, learning, and not be satisfied by “ok, now it’s done.”

By Dak

Father, leader, writer, scientist, visionary.

Technical software development leader (CTO, VP). Excels when improving and turning around teams, putting better tools and software architectures in place, and getting better outcomes.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.