Does Windows have a very weak password lurking in its crypto libraries?

Trending 1 month ago

Microsoft's Raymond Chen took to his "Old New Thing" blog this week to explicate why Windows has a hash of a anemic password successful its cryptographic libraries.

The series successful mobility was spotted by a customer, who reported they'd recovered nan SHA256 hash of "abc" successful nan Windows cryptographic libraries.

Dodgy passwords are nan bane of galore an administrator, and plentifulness of organizations are keen to show you really champion to manage nan things. Change them frequently. Don't alteration them frequently. Use random gibberish. Don't usage random gibberish. And truthful it goes on.

Irrespective of this, location is nary uncertainty that "abc" is not a awesome prime for a password, however, Chen has an explanation for its presence. It is portion of nan library's self-test to guarantee thing is amiss pinch nan modules. It isn't really being utilized arsenic a password per se.

We tin ideate nan alerts raised by various root power devices astatine nan show of a hard-coded password lurking successful nan code. After all, nary technologist would person dropped specified a point into their cautiously crafted source, right?

Chen said: "You tin find this hard-coded 'well-known SHA256' successful nan sha256.c module, pinch nan 'plaintext' successful selftest.c. The values are utilized by nan usability Sym­Crypt­Sha256­Self­Test to verify that nan algorithm produces nan expected answer."

Windows is hardly nan only codebase to see specified things. One personification commented: "It's not conscionable a peculiar artefact of nan Windows cryptographic library, 'abc' is simply a modular trial drawstring utilized for hash functions going backmost to astatine slightest MD5 successful 1991."

  • ROBOT crypto onslaught connected RSA is backmost arsenic Marvin arrives
  • Apple squashes information bugs aft iPhone flaws exploited by Predator spyware
  • Signal adopts caller alphabet jumble to protect chats from quantum computers
  • Microsoft: China stole concealed cardinal that unlocked US govt email from clang debug dump

A swift hunt astir different libraries showed respective different trial strings that would beryllium little than perfect arsenic passwords but thief validate that functions are moving correctly.

Chen said: "The truth that an insecure password appears successful nan cryptography libraries doesn't mean that nan room is utilizing them arsenic passwords. In this case, they are conscionable trial data."

He concluded: "I stake you tin find insecure passwords successful a batch of binaries if you group your mind to it. Just scan for nan bytes 61 62 63 successful immoderate binary, and if you find it, you tin get each excited: 'Hey, your binary contains nan insecure password abc!'" ®