Bypassing Windows Sign-In Passwords
I recently found out about some software that allows anyone to reset a Windows login password as long as they can enter the BIOS boot menu to boot off a USB flash drive to deploy the program. I was already aware of the exploit with using a Windows recovery USB to enter the command prompt and edit the registry files, but didn’t realize that there was a more “user-friendly” solution. It sounded too good to be true, so of course I had to buy one of these to try out. I’m sure I could have found everything on GitHub and created my own, but I was curious if there was any difference between these purchasable ones versus a free download.
A few days and $20 later, I booted up my old PC (which has Windows 10 installed) with the flash drive inserted and entered the Bios menu. All you have to do is disable Secure Boot, enable Legacy Boot, and then go to the one-time boot menu, select the USB device, and hit enter. You then enter an easy to navigate GUI menu that shows which user types are active and gives you the option to reset the passwords.
By reset, I mean you essentially delete the password and create a blank password field. There is no option to view the password or create a new one in this environment.
Now all you need to do is exit the application, restart the PC, and enter the Windows login page as you normally would. Only now there is no password needed for the account and you can sign in without even touching the keyboard. It really is that easy, simple enough that anyone with a basic understanding of computers and an ability to follow straightforward directions can gain access to someone’s personal data so long as they have physical access to the device.
I want to make it clear that this is not the only way to reset a local Windows password, but it is by far the easiest way of doing it. Instead of paying for one of these pre-configured USB flash drives, you can use your own USB device and install a similar type of software yourself. You can also create a bootable Windows recovery USB, enter the command prompt and start editing registry files to accomplish the same thing, just without a user-friendly GUI. I believe there is also a way to enter “repair mode” by repeatedly forcing Windows to shutdown, where you can use a command prompt to edit registry files (I have not tried this method). The method I have used is simply the easiest one available, and is a great example for how flawed Microsoft’s idea of security is.
What I have described is the easiest scenario for accessing someone’s local Windows account, but there are a few other settings that can make things a little bit more complicated for someone to bypass Microsoft’s sign-in security.
Microsoft’s answer to this security vulnerability seems to be to encourage users to sign in with their Microsoft.com account on their Windows PC. The idea is that in order to gain access to the system, someone would have to access their online account, which is close to impossible if the user has a strong password and two-factor authentication enabled. At first I thought that this was a good solution, but with some research and playing around with my password reset USB some more, I realized that while you can’t get around logging in with someone’s Microsoft.com account without knowing the password, you can actually bypass this by enabling the default Administrator account that comes with all Windows PC’s. As an Administrator, you would have access to all other user account data on the PC, thereby completely bypassing Microsoft’s attempt at a solution to this vulnerability.
Another potential way to prevent unauthorized access to a Windows PC is to enable a BIOS password. Since you must enter the BIOS boot menu in order to boot off of the USB reset key, it would seem that a BIOS password is a legitimate way to prevent someone from using one of these password reset keys. But anyone who works in IT knows that you can simply press the BIOS reset button on the motherboard (if there is one) or remove the CMOS battery altogether in order to reset all the BIOS settings back to its defaults (including removing any password). Of course, this involves having somewhat prolonged and unattended access to the computer since it takes a little bit longer than simply booting off of a USB.
There does seem to be, however, one fairly guaranteed way for preventing someone from accessing your personal data on your PC. Any form of disk encryption, such as Bitlocker, seems to be a solid way of preventing unauthorized access to someone’s PC. I will admit that I am no expert when it comes to disk encryption services such as Bitlocker, but from the brief amount of research I’ve done, there seems to be no way to access any data stored on the disk without its encryption key.
It’s time for Microsoft to do something about their incredibly weak sign-in security. It shouldn’t be this easy to reset a Windows user’s password, and you shouldn’t need to go through the trouble of setting up Bitlocker just to ensure that someone can’t access your data if they have extended physical access to the device. Until Microsoft does something about this lack of security, it might be a good idea to set up Bitlocker on your device if you travel a lot and have sensitive data on your device. Never step away from your laptop in a public place, because there’s always the possibility that someone wants to sell your personal data rather than the device itself.
DISCLAIMER: This essay is intended for educational purposes only. It is always illegal to gain unauthorized access to a computer, and I absolutely do not condone these types of actions. I have written about a very well-known exploit that Microsoft is aware of. I do not claim to have “discovered” this vulnerability, I just wanted to share my opinion on the subject.
