No, you don’t need to turn off password recovery questions in Windows 10

Recently, a group of researchers described a scenario in which password recovery questions were used to hack a Windows 10 PC. This has led some to suggest disabling the feature. But you don’t need to do this if you are a home computer user.

So what’s going on here?

As first reported by Ars Technica, Windows 10 added the ability to ask password recovery questions for local accounts last year. Security researchers have looked into this and have found that in a business network it can lead to a potential vulnerability.

Two important points stand out immediately:

First, the entire scenario relies on computers connected to a domain network, which is what you would find on a business network with managed computers.
Secondly, the vulnerability extends to local accounts. This is especially interesting because if your computer is part of a domain, you are almost certainly using a centralized domain user account rather than a local account. And security questions are not allowed for domain accounts by default.

There is a third point that is even more important. All of this requires the attacker to first gain administrator-level access to the network. From there, they can then identify machines connected to the network that still have local accounts, and then add security questions to those accounts.

Why bother?

The idea is that if administrators detect and revoke the attacker’s access, subsequently changing all passwords, the subject could theoretically go back online to those machines and use their own questions to reset those passwords and regain full access. ,

The researchers also suggested using a hashing tool to determine the previous password and then recovering the old password to hide their access. The problem is that most domain networks don’t allow password reuse by default.

When Ars Technica asked Microsoft for a comment, the response was short:

The described method requires the attacker to already have administrator access

While this may seem silly at first glance, what Microsoft is implying is correct, and that brings us to the real heart of the matter. When an attacker gains administrator-level access to a network, the potential damage and attack opportunities go far beyond simple password reset techniques. And if the network is strong enough to prevent a malicious actor from ever gaining an administrative level, then it’s all moot.

Thus, the attacker will eventually need to gain administrator-level access to a business network using a Windows domain, find computers with local accounts, and then create security questions so they can revert to them. computers if they are detected and blocked. And we have to worry about it when their admin-level access gives them the opportunity to do harm already.

Understood. So does this apply to me?

If you’re using a Windows 10 PC at home, the short answer is almost certainly no. And that’s why:

Your home computer is most likely not joined to a domain.
Even if it were, you would have to use a local account, and most Windows 10 users probably use a Microsoft account to sign in. This is because Windows 10 requires the use of a Microsoft account for many features to work properly. And while you can take a few extra steps to create a local account instead, Microsoft doesn’t make that choice the most obvious. If you’re using a Microsoft account, then you don’t have the option to use questions to reset your password.
To take advantage of this, someone will need remote or physical access to your PC. And with this level of access, password reset issues are the least of your worries.

So the chances are very high that none of these studies apply to you. But even if you’re using a local domain-joined account, it all comes down to an ancient set of questions. What convenience should you leave behind in the name of security? Conversely, how much security should you give up in the name of convenience?

In this case, the chances of a bad actor gaining access to your machine and using secret questions to gain full control are incredibly small. And the chances of forgetting the password and asking questions are slightly higher. Assess your situation and make the best choice for you.