windows does not store local account password, but it does store a
hash value, also know as digital "fingerprint" 128 bit, of the
password. A hash is oneway math function that accept a string in
input, in our case a password, and provide an value in output, the
hash value. A hash function has some properties:
1) from a hash value it is computationally hard, we assume impossible,
to retrieve the input string
2) two different input string will most certainly, we assume
certainly, produce two different hash value
Windows stores hash values in the SAM file located in
This file is encrypted and locked by windows. So, AFAIK, it's already
protected at best.
The same file is also located in C:\Windows\Repair for back up purpose
and it is not locked but it access is protected via ACL, this can be a
problem if someone/program run with administrative privilege
When ever our password is required the logon box appears and we type
in the password, the box applies the hash function to it and forwards
the hash to the security subsytem that read the hash for that user in
the SAM and compares the two values. If they match you we are
What are the risks we should be aware?
1) AFAIK the only way to obtain a pwd from a hash value is to use a
bute force.That is, use a huge password dictionary and apply the hash
function on every pwd, if the hash value match the first hash value
than you have the password.
2) How can the hash value be obtained?
-)grab the SAM file and decrypt it, this means having access to the
machine. Note that when an machine is physically accessible any
security system is vain. One can boot with a DOS disk and access the
file system. Years ago I used a linux boot disk and then overwrite the
administrator password with a new one.
-) if you run ad administrator than it is suffocate that a program do
this. So, if you can use a simple user without admin privileges
-)in a network obtain the hash by sniffing the network. But I don't
know how exactly this work and guess it is not easy.
Keep in mind that the info provided are not complete hence there can
be other security facts that you should be concerned about in order to
PS: some passwords, not local account, are stored in the registry. Use
http://www.forensicideas.com/tools.html to check what you have there