3
2
How do I set up a windows account, so that Windows will accept any password to login. I want to create the illusion of security for the user. Where the user believes that there account is secure and has a password, when it actually has none. I am obviously operating under the assumption that I am an Administrator on the computer in question. How would I go about doing this?
David
Posted 2013-09-01T17:50:56.573
Reputation: 451
3
For Vista and newer you would need to write your own Credential Provider to be shown at the login screen along side the normal login.
For XP and older you need to write a new GINA interface, this in theory could replace the old login entirely (and that is one of the reasons why Vista and newer no longer uses GINA).
Any advice on how to do either of those is off topic for Super User, you would need to work on it on your own and when you get stuck go ask on Stack Overflow about the specific issue you are having creating your own implementation.
Scott Chamberlain
Posted 2013-09-01T17:50:56.573
Reputation: 28 923
I'm sorry, but am I the only one who giggles a little when I read that as 'gina interface? XD – Moses – 2013-09-04T00:39:23.670
1Wow, what a unique and malicious question! I don't think you could do it as you described without really getting into Windows and making a mess of things. But, I think you could make a fake Windows logon, so its the illusion of logging on... – Austin T French – 2013-09-01T18:04:52.513
@AthomSfere it's hardly malicious.. anybody would realise soon enough that any password works. it's not like it helps the administrator of the machine to set that up! Maybe it's just to demonstrate how easily somebody can be fooled. And asking how to do it, It's an interesting thing to do! And obviously if setting that up, one doesn't need good security! i'm sure it's not to secure the crown jewels. – barlop – 2013-09-01T18:21:08.390
1@barlop the product certainly could be malicious, not necessarily that the intent of the OP is. And all it takes to get a good password is someone mistyping theirs once... I did upvote the question too, because although its a security issue, its a good question for both the concept and the vulnerabilities of users it could expose. – Austin T French – 2013-09-01T18:45:34.513
3This ranges from misguided through malicious to ethically and perhaps legally wrong. Don't do it. – Rory Alsop – 2013-09-01T19:23:58.990
1@AthomSfere but he isn't asking how to steal passwords when a user logs in / how to set up a replacement log in screen, (and i'm not sure that that the latter has even been done). He's asking along the lines of having a username where any password works. I suppose if one could replace the entire user account system /log in screen, then it would allow what he wants and could steal passwords that way, but I don't think that has ever been done, and really to get a password there's l0ftcrack or peter nordahl's offline nt.., but he wasn't asking about getting a password. – barlop – 2013-09-01T20:50:43.460
1@barlop but with he is asking, getting an un-hashed password is an arguably natural evolution of one of the likely vectors to hack windows the way he is asking... – Austin T French – 2013-09-02T00:38:21.503
1@RoryAlsop alternatively it's a fun and creative prank or an attempt to learn how to defend a system against such an attack. Don't be so glum. This site is for learning, not for working out what's legally and morally correct. – Ярослав Рахматуллин – 2013-09-02T10:26:13.463
Yeah - this one doesn't lend itself to learning though, and if you did it as a prank you'd leave yourself open to all sorts of criminal damage. – Rory Alsop – 2013-09-02T11:53:55.730