Security and passwords: an anti-pattern found in current Windows

The two most important principles of security are to resist entry, and call for help so that the time bought by the resistance allows for a meaningful response. This is true of physical and computer security.

Shockingly, this proof of concept shows that the Windows LoginW API does neither: it allows even the guest account to attempt an unthrottled number of bad password attempts. As the notes say, even on a small machine, this is over 10,000 attempts per second, on one thread.

This means that any other security hole that allows code to execute on the machine does not require an account to attempt to run the entire dictionary of known or extrapolated passwords in seconds, and can brute force any password by systematically walking through all passwords if undisturbed.

This is an epic failure. Yes, if throttling is put in place, it needs to be done thoughtfully (to avoid a denial of service attack where a bad actor locks legitimate users out) but this is truly disgraceful. The guest account should progressively delay subsequent attempts to make this is feasible, and the guest account should time out with a suitable message that it is due to an attempted break-in.

In addition: where is the security alert?

In the bigger picture, this is why leadership has to teach the why of design, including security. And why we all have to keep alert, learning, and not be satisfied by “ok, now it’s done.”