Security of passwords remembered by Windows

Question

Does Windows XP or Windows 7 encrypt saved passwords?

I'm assuming that the user uses local password to logon.

The user then uses his own computer to connect to server in work and sets the "remember password" box in the password dialog. The other password I'm interested in is the password to WiFi network, is it stored encrypted using user's local password or are they just obfuscated?

Are there any other passwords to network services Windows can remember? Are they encrypted?

EDIT:

I know that Windows XP, when the password has less than 14 characters, stores LM hashes, which can be broken in about 7 seconds.

And of course, if the passwords aren't encrypted with the local user password, access to them will be easy if one has physical access to the computer or administrative account.

EDIT2: Windows uses PBKDF2 with Data Protection API http://msdn.microsoft.com/en-us/library/ms995355 The question remains: Is it used for saving network credentials?

Answer 1

On the wireless password side of things, for WEP/WPA keys, this is retrievable from an unencrypted (eg, no FDE) windows laptop. Utilities like Wireless Key View, can be used if the machine can be booted by the attacker.

On the windows side of things my understanding is that passwords are stored in a quite heavily encrypted format, but that it's possible to dump the hashes. For domain passwords, a laptop has to store it locally somewhere to allow for users to log-in when the machine is not connected to the domain.

Also it's not actually always necessary to crack the password to make use of it. In some cases it's possible to use the password hash to attack other systems (eg using Metasploit and psexec)

Ultimately I'd strongly recommend full disk encryption (eg, truecrypt) for any laptops that store senstive information

Answer 2

http://windows.microsoft.com/en-US/windows7/Store-passwords-certificates-and-other-credentials-for-automatic-logon

When you log in to a server remotely and you save credentials on a windows box the information is saved in a vaults. Windows Vault storage location

Windows 7 stores the Windows Vault files in C:\Users\[UserName]\AppData\Roaming\Microsoft\Credentials if the computer is an Active Directory domain member, and in C:\Users\[UserName]\AppData\Local\Microsoft\Credentials. If you want to get rid of all your stored credentials you can simply delete the encrypted files in these locations.

Getting the information is very easy once the users has access to the computer in question.

"Cain & Abel can restore passwords from the Windows protected storage, the Credential Manager, standard edit boxes, LSA secrets, SQL Enterprise Manager, Windows Mail, dialup, Remote Desktop profiles, and the Windows wireless configuration service."

Also the if the user has access to the box they will be able to use a pass the hash to move thought out the network.

If the PC is Windows XP see below, if not the below solution may work:

Try re-starting the Laptop in Safe Mode. To do this turn the Laptop on and continuously press F8 until a menu is displayed. When the menu is displayed, click on Safe Mode (without networking). When the welcome screen comes on, click on Administrator, then go to control panel, user accounts and you will have to delete the account. But at least you got into the Laptop. If you don't use the welcome screen, at the log in screen put the username as "Administrator" and password blank. This usually works.

Also if the laptop is win 7 http://www.youtube.com/watch?v=-HCWOUUofxY Now the video and the link about hacking XP and WIN7 are removing the admin password this does not REMOVE the other Credential uses to connect to a network. Hope this helps.

I have not tested the link to see fi they work on win 7 or XP.

And lastly ,

"Q: What is the Registry location that Windows XP stores the wireless key ?

A: The wireless keys are stored in the Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\[Interface Guid]. The [Interface Guid] is a unique GUID value the represents your wireless network card. The keys are well-encrypted by Windows operating system, so you cannot watch them with RegEdit."

Answer 3

For Windows XP and Windows 7the passwords are stored in the SAM file located on the disk. The location is usually C:\WINDOWS\system32\config\SAM.

The passwords are one way hashed with either LM or NTLM hash.

Wireless passwords are stored differently between the two operating systems you listed. Windows XP wireless passwords is managed by a service called Wireless Zero Configuration. WEP keys can be decoded back to their plaintext value, but WPA cannot as it is encrypted with SHA1. On XP the keys are stored in the registry here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces[Interface Guid] . However tools like Cain from Oxid will easily retreive and decode them for you.

For Windows 7 the wireless keys are managed by a service called WLAN AutoConfig.