A little correction: any program that runs as an administrator has access to your security questions. Anyone having administrator token privileges can enable SeBackupPrivilege and yoink your security questions too. You don't even need LocalSystem rights to access SAM, well, anywhere besides the Windows Registry Editor.
Recently a family member needed help getting into their PC but they forgot their password. So I booted into a windows installation USB loaded the hive for SAM, and found the security questions. Come on Microsoft.
Microsoft: “We value your privacy” Also Microsoft: “Not only is forcing windows recall (aka spyware) on us, but also stores Security Questions in plain text”
Two more things that would be interesting to try: * What happens if there are _less_ than 3 questions in the list? Normally Windows never lets you select less, but can you do 2, 1, or even 0 questions? * What if you use crazy UTF-16 text for the _answers_? Obviously it'll be impossible to type, but can the validation algorithm handle that correctly?
Microsoft Edge's password manager also stores all its passwords in plaintext (well, not really, they are encrpyted but with a key that's in the same directory as the database... whoops).
@@tmc249TLDR: yes, always has been, google denied it as a security issue but recently added an option to encrypt them with a master password. Not sure if edge already has this or not, it's usually a few versions behind.
@@starleaf-lunathe key is encrypted with your windows user's password. So an offline disk dump is useless if you don't know the password. (In theory at least, like enderman said, windows password hashes are a joke)
@@tmc249 That's why you should never save any password in any browser, even if its Brave or Librewolf or whatever. The best password manager is your own head. :D
i feel like bad actors could use this to get personal information like what your real name is also what happens if you set only 2 questions or a question that has no question prompt but an answer
So thats another reason to skip adding a password during oobe and setting it afterwards, I never liked security questions. I wish there was also an option to disable the password hint, but you can write random gibberish to that at least.
That's why I on OOBE I make account without password, and add that then, on desktop. But I'm considering use cmd/powershell instead of Settings app, so I can skip creating password hint as well. Another dumb thing: forcing you to create less secure PIN when you add your fingerprint. Thank Microsoft I can include letters and symbols to PIN, effectively turning that into a password.
The problem is that most software can't be installed without admin. Linux solves that problem using package archives (.deb, .rpm) and trusted package repositories
Its even worse. If you're using EFS (Encrypting file system), and have security questions enabled, the questions can decrypt the EFS private key, and gain access to encrypted files. This renders EFS completely useless. All an attacker needs to do, is extract the security question answers from registry, and ask windows to reset the password (in winlogon), and boom, suddenly they gain access to "encrypted" files. (btw, I tried this in a Windows 10 VM 21h1 but it might still work on newer versions).
Isn't this why Microsoft recommends you use a Microsoft account? You officially aren't really supposed to be able to make a local account on Windows 11 Home anyway... Wouldn't be surprised to see server and pro editions following suit. Not saying this isn't bad though, honestly shocking how they don't encrypt this
They HAD option to make local account on Windows 10. And they ALSO required to make security questions. And they, most likely, also stored in plain text.
The reason why you couldn't see it at 3:45 is cause once you leave the textbox,it hides the eye button.if you want it back,you gotta remove the ENTIRE password and type it again. leaving even 1 character wont show it.
you can also use a windows installer to gain access to trustedinstaller perms, so assuming the computer can boot into the installer, you can take whatever from wherever you want
I haven't fooled around with security questions to know for sure. But maybe it's stored in plain text in order to be able to compare between the expected and given answer to pass even with small differences like punctuation?
You can only skip these questions if you use command prompt to create the user account (or I think you can also use computer management in Pro editions) and then delete the previous one which has the security questions Edit: or you can just leave the password empty during the OOBE ;)
just setup the oobe like normal but in the password field don’t field anything just press to skip the password field because on windows you can go to control panel and create a password it will not ask for security questions
I know English is already the language of the world and most Slavs including Russians are often fluent in it, but it makes me wonder if Interslavic will ever be a popular language.
SAM is protected by System permission. If a hacker already has System might as well not have any passwords at all because you're already pwned regardless. As to why experts recommend not using security questions, its because it's easier tu guess especially if you know that person. But you can just write gibberish as the answers. And psst hey here's a secret..You can disable security questions in group policy.
@@jajoothecoolman hardcoding is when something important like the main function is set in stone in the code instead of being something you input. here enderman made the replacement q/a part of the code itself, meaning of this was compiled to a .exe it could only make one set of questions
So I don't think this is as big a deal as you might think. One scenario is where you have a local admin account on the system (which you need to access SAM anyway). In this case, you can just reset a user's password directly and take control of their account. Security questions don't matter here. Another scenario is where you don't have access and try to guess the security question answers. In this case you can't see the values in the registry so it doesn't matter how they are stored. If you can get access that is a separate problem and how they are stored doesn't matter. Last scenario is if you pull the hard drive or boot from an alternate OS from a CD or USB stick. In this case if the hard drive is unencrypted you can definitely get access which is a problem. Of course you also have access to all the user's data anyway that they haven't encrypted so that is a concern as well. BUT if they've used Bitlocker then you still can't view the security questions since they are encrypted with the rest of the drive, unless I'm mistaken about that. AFAIK Bitlocker should be enabled by default on new Windows installs now. Should the security answers be better protected? Definitely. Only other thing I have to say is there could be some dumb reason they can't (such as allowing partial string matches).
AIs in code editors are so funny when you do strings, sometimes i get random things like "you will be rewarded with a free robux" or "THERE IS NO ESCAPE THERE IS NO ESCAPE THERE IS NO ESCAPE THERE IS NO ESCAPE THERE IS N" Aside from that, this remembers me of chromium storing password in plain text
Maybe MS decided to keep them unencrypted so they could do some level of fuzzy matching? Like if you typed "Tokyo" in OOBE but tried to reset with "tokyo". Or removing extra whitespace from answers or something like that
I mean, I'm not sure this is a security hole. You need to be an administrator to perform this. You can already change anyone's password if you're an administrator. The only problem with not hashing the answers is that an administrator can read them - and your answers should probably not contain sensitive information. So while they don't increase security, I'm not sure that they decrease it at all.
@@MuhammadDaniyal-wk3hp Nonsense. If you lose your password just reset it. All you need is any usb drive with windows on it. You don't need security questions.
These experiments are always great lol, just like bashing MS outright. They really seem to be a security vulnerability in themselves, but oh well. Anyway, hope you have fun with your other projects as well
If you don’t want to set up security questions, do the following: 1: Don’t set a password. 2: Press Shift + F10 to open Cmd. 3: Type net user (username) (password) followed by Enter. 4: Complete the setup like normal. When finished, you may see an error message. Ignore it and log in. This will also skip the “Preparing Windows” message.
You can always use a Nokia 6303i Classic and watch your videos by encoding them in H264, making them 240x320 and 10fps at 3gp format. Trust me it is more fascinating than you think.
Honestly, I think this means the only reasonable answer to a security question is the entire song text of "never gonna give you up" (or as much that fits). That way, if someone hacks you, at least you Rickroll them.
Remember guys, password in the system without any encryption is the password to prevent your toddler accessing the PC or to prevent your random classmates from googling black-orange TH-cam when you don’t look at the laptop
jokes on windows back when it tried to make me use security questions i skipped making a password and made a password/passcode instead through control panel so it wouldnt give me the option to use security questions
Even if they were encrypted, these security questions aren't secure at all. There is a long list of people who would know or easily find/guess all of these, including but not limited to: My cousins, my parents and most of their friends, my own friends, my grandparents, my uncles and aunts. I don't want any of them to have unrestricted access to my computer.
4:37 how did you get it to just be toggles? I've seen that UI before but always thought it was just early W10. It looks so much easier to decline than clicking No then Next over and over. Is it a GDPR thing where they can't have it pre-ckecked so have it as options instead?
The reason this is mega-mega bad: An attacker could use malware to get your security questions and their answers, and there's a decent chance some people will use the same security questions, and same answers, on different services. They can use that to gain access to those accounts.
@@mazellovvv because sometimes sites do log you out all the time, or some do it properly and invalidate the token when someone suddenly logs in with the same session token from across the fucking planet.
I didn't test it because I always set my password in a way which bypasses the security question screen, but I assume they store it in plain text to make the matching case insensitive, also allow double space or whatever... Not that I would call that a good idea and say that there aren't other ways to do that like e.g., Facebook handles the password validation (checks with a few iterations)
A little correction: any program that runs as an administrator has access to your security questions.
Anyone having administrator token privileges can enable SeBackupPrivilege and yoink your security questions too. You don't even need LocalSystem rights to access SAM, well, anywhere besides the Windows Registry Editor.
Recently a family member needed help getting into their PC but they forgot their password. So I booted into a windows installation USB loaded the hive for SAM, and found the security questions. Come on Microsoft.
oops
Thats great. Microsoft even forces you to select security questions
For real, i avoided it because it's unnecessary to even have at first place.
shocking
So annoying to have to sign up with no password and when you're in create one just to not make those.
Mine are A, A, and A, so now people can hack me 😱 wait.. they need physical access… my password already sucks! I don’t need to worry
Torille!
i really like these casual less-edited videos where you just explain as you go its more natural i feel
likewise!
yeah , really enjoyed it
I agree! I prefer to hear someone explaining than to just read subtitles.
Also helps that there isnt as much earrape music in this type of his videos
Same here, I really enjoyed it
Microsoft: “We value your privacy”
Also Microsoft: “Not only is forcing windows recall (aka spyware) on us, but also stores Security Questions in plain text”
@@maddox5081 didn't they change it to be off my default lol
@@H3llfire320It still stands that they've baked it directly into Explorer - they certainly want to force it to be always on later.
@@H3llfire320 Yeah but they’re trying to make it mandatory now saying it was just a “bug” that you could disable it
Not even my gibberish keyboard mash security questions are safe! Thanks, Microsoft.
💀
Lol
"What is your dog's name?"
"Wuuswh
@@Mizu2023 Your comment is amazing
@@Mizu2023”My dog name is “
4:48
Windows: Hi😭
Enderman: Bye🤣
The trick is you just press CTRL + ALT + DEL while you're on that screen and you sign back in :p much faster
i do this every single time
That got me 🤣
@@Dschoghurt This is a spam...
@@ScorAXE007wait does this actually works?
Two more things that would be interesting to try:
* What happens if there are _less_ than 3 questions in the list? Normally Windows never lets you select less, but can you do 2, 1, or even 0 questions?
* What if you use crazy UTF-16 text for the _answers_? Obviously it'll be impossible to type, but can the validation algorithm handle that correctly?
I think you can enter most things by using the Alt Gr key and some number combination ;)..
"security and privacy? whats that?" - michaelsoff
true :3
@@jajoothecoolman hi god :3
michaelhard
michaelsoft binbows
@@jajoothecoolman red ball 9
Microsoft Edge's password manager also stores all its passwords in plaintext (well, not really, they are encrpyted but with a key that's in the same directory as the database... whoops).
id be curious if its just edge or every chromium browser as well
if it's encrypted, but the key is stored in the same database, why even bother encrypting it?
@@tmc249TLDR: yes, always has been, google denied it as a security issue but recently added an option to encrypt them with a master password. Not sure if edge already has this or not, it's usually a few versions behind.
@@starleaf-lunathe key is encrypted with your windows user's password. So an offline disk dump is useless if you don't know the password. (In theory at least, like enderman said, windows password hashes are a joke)
@@tmc249 That's why you should never save any password in any browser, even if its Brave or Librewolf or whatever. The best password manager is your own head. :D
I remember years ago I just opened regedit using utilman on the lock screen and found all the security questions inside the sam folder in there lol
Bruh
Ok haiden
@@𰻝eat glass
i feel like bad actors could use this to get personal information like what your real name is
also what happens if you set only 2 questions or a question that has no question prompt but an answer
4:25 andrew and ashley is not a good idea
rolling in my coffin rn
Beat me to it
i love cargo containers
@@artyoshka What's for soup?
don't get it
So thats another reason to skip adding a password during oobe and setting it afterwards, I never liked security questions.
I wish there was also an option to disable the password hint, but you can write random gibberish to that at least.
@@ezequieldom641 Did youtube make oobe a clickable search automatically or did you make it? If the latter, how?
when the hell did TH-cam add a search feature to comments? the word “oobe” was blue and had a search icon
@@kab43 finally TH-cam adding something that sounds useful
@@ezequieldom641 it’s a youtube search, not a google search. so close yet so far
@@ezequieldom641 I just type space as the password hint, it works
"only one of them are real, the rest are virtual"
Me who knows that you're using a virtual machine and that ALL of them are virtual:
11:44 bro got rickrolled by a code editor ☠️☠️☠️
we do some light trollege
rickroll in big 24 💔
That's why I on OOBE I make account without password, and add that then, on desktop.
But I'm considering use cmd/powershell instead of Settings app, so I can skip creating password hint as well.
Another dumb thing: forcing you to create less secure PIN when you add your fingerprint. Thank Microsoft I can include letters and symbols to PIN, effectively turning that into a password.
if you change/set you password on the security options screen (ctrl+alt+del) you don't have to put in an password hint
just put no password then instantly shift f10 and do net user "user" "password" and thats it@@msedgeundwinfan
@@msedgeundwinfan That too
@@tapafon_red The PIN is just as secure if not more secure because it can not be phished and/or bruteforced as easily
I swear 90% of security issues in Windows can be solved by running your main account as a limited user and only elevating permissions when needed.
@@rdqsr That sounds kind of familiar...
The problem is that most software can't be installed without admin. Linux solves that problem using package archives (.deb, .rpm) and trusted package repositories
Its even worse. If you're using EFS (Encrypting file system), and have security questions enabled, the questions can decrypt the EFS private key, and gain access to encrypted files. This renders EFS completely useless. All an attacker needs to do, is extract the security question answers from registry, and ask windows to reset the password (in winlogon), and boom, suddenly they gain access to "encrypted" files. (btw, I tried this in a Windows 10 VM 21h1 but it might still work on newer versions).
Isn't the registry encrypted too?
@@someoneunknown6894 No. No it is not.
@@SpookerII Why not?
My POV is of a Linux user, and as far as I know, full disk encryption encrypts *everything* possible
6:37 elevate to trusted######### ?
@@DraidK yeah he almost got banned for making videos with trustedinstaller
why hashtag
insecurity questions
Well said
loved the THERE IS NO ESCAPE tidbit, wow that took me back
THERE IS NO ESCAPE
Screw the error-filled computer just this once. Embrace Cat.
Isn't this why Microsoft recommends you use a Microsoft account? You officially aren't really supposed to be able to make a local account on Windows 11 Home anyway... Wouldn't be surprised to see server and pro editions following suit.
Not saying this isn't bad though, honestly shocking how they don't encrypt this
you can make a local account just you have to do extra stuff to do it
@@SOTP. Exactly my point, it is a chore to create one - it isn't the intended method of account creation for a new user.
@@MegaBytesMe yeah
They HAD option to make local account on Windows 10. And they ALSO required to make security questions.
And they, most likely, also stored in plain text.
0:10 streeeeeeeeeeeeeeeeeeeech lol
The reason why you couldn't see it at 3:45 is cause once you leave the textbox,it hides the eye button.if you want it back,you gotta remove the ENTIRE password and type it again. leaving even 1 character wont show it.
Lol the obvious NoEscape reference was so funny to me
Supposed to be researching on IoT but I'm gonna stay here
Same level of security
similar level of security
DUDE WHAT I WATCH YOUR VIDEOS NO WAY @@xpower7125
Same level of security. Hence probably a Majority connects to microsofts azure cloud servers or chinese tuya servers
Microsoft : We do things for your privacy. We care about it.
Also microsoft : Does not fixes RTLO attacks and hidden file extension attacks
you can also use a windows installer to gain access to trustedinstaller perms, so assuming the computer can boot into the installer, you can take whatever from wherever you want
I haven't fooled around with security questions to know for sure. But maybe it's stored in plain text in order to be able to compare between the expected and given answer to pass even with small differences like punctuation?
i love those experiments
Glad you enjoy them as much as I do!
yo what? You dont get the option to skip it?
@@trynagetgoodign yup. That's why this is so bad.
You can only skip these questions if you use command prompt to create the user account (or I think you can also use computer management in Pro editions) and then delete the previous one which has the security questions
Edit: or you can just leave the password empty during the OOBE ;)
and then remove them
just setup the oobe like normal but in the password field don’t field anything just press to skip the password field because on windows you can go to control panel and create a password it will not ask for security questions
still russian accent. i love it
I know English is already the language of the world and most Slavs including Russians are often fluent in it, but it makes me wonder if Interslavic will ever be a popular language.
I am from Russian to
Why would it go away? I guess if he really made an effort to get rid of it but one would have to care a lot to bother to do that.
It's cringe
@@R1ch4rd you don't have to watch. Plenty of other TH-camrs.
SAM is protected by System permission. If a hacker already has System might as well not have any passwords at all because you're already pwned regardless. As to why experts recommend not using security questions, its because it's easier tu guess especially if you know that person. But you can just write gibberish as the answers. And psst hey here's a secret..You can disable security questions in group policy.
I always hated them. I was thinking that why does M$ want to know these private details about me. Anyways, is there way not to enter them at all?
dont set it at oobe and set it after you go to desktop, it doesnt ask as ik
@@HAKANKOKCU Last time I installed it in VM it did not give me any option not to set it.
@@test-rj2vlwhen it asks for the password leave it blank
i rlly like these more casual styled videos, pls do more
Bro just hack windows in couple of minutes pov me:Trying to guess security questions in 10 hours
*TRYNA
getting rickrolled by Copilot is WILD
11:45 ain't no way you didn't hardcode that🤣
?
@@jajoothecoolman hardcoding is when something important like the main function is set in stone in the code instead of being something you input.
here enderman made the replacement q/a part of the code itself, meaning of this was compiled to a .exe it could only make one set of questions
why dors microsoft even force you to do these? makes me have to spam my keyboard, AND NOW THAT IS EVEN NOT SECURE?????
2:40 oobe part that says "Hi" is also selectable
So I don't think this is as big a deal as you might think.
One scenario is where you have a local admin account on the system (which you need to access SAM anyway). In this case, you can just reset a user's password directly and take control of their account. Security questions don't matter here.
Another scenario is where you don't have access and try to guess the security question answers. In this case you can't see the values in the registry so it doesn't matter how they are stored. If you can get access that is a separate problem and how they are stored doesn't matter.
Last scenario is if you pull the hard drive or boot from an alternate OS from a CD or USB stick. In this case if the hard drive is unencrypted you can definitely get access which is a problem. Of course you also have access to all the user's data anyway that they haven't encrypted so that is a concern as well. BUT if they've used Bitlocker then you still can't view the security questions since they are encrypted with the rest of the drive, unless I'm mistaken about that. AFAIK Bitlocker should be enabled by default on new Windows installs now.
Should the security answers be better protected? Definitely. Only other thing I have to say is there could be some dumb reason they can't (such as allowing partial string matches).
Exactly what I was thinking the whole video
Like it's not accessible, and when it is, everything is accessible
0:35 ngl i would be just as annoyed if i dropped my ice cream
Kitties! You should do a video just showing off your cats.
AIs in code editors are so funny when you do strings, sometimes i get random things like "you will be rewarded with a free robux" or "THERE IS NO ESCAPE
THERE IS NO ESCAPE
THERE IS NO ESCAPE
THERE IS NO ESCAPE
THERE IS N"
Aside from that, this remembers me of chromium storing password in plain text
I love joining early to the premieres, the description is like: Links? Later
Omg Enderman uploading more videos!! 🎉🎉 You're awesome buddy you really explain in detail ❤
7:45 i love how he accidentally says "or 3 и (russian for and) 9"
Nice catch! Though I was referring to the hex number 3E9...
the registry said 3E9 and not 3 И 9
It was literally "3E9" if you see on the far left, but that would be an interesting mistake.
So cringe
@MoneyGrab yeah, "три E9" xD
That was a great video. Good thing I never setup the security questions for my windows account anyway.
Even worse, your password isn't secure either..
@@jynz_l hello Roblox guy who made windows 10 in boblox
@@team-fortress-1 sorry, i only made windows 11 not windows 10.
@@jynz_l mb
finally normal video with voice
Maybe MS decided to keep them unencrypted so they could do some level of fuzzy matching? Like if you typed "Tokyo" in OOBE but tried to reset with "tokyo". Or removing extra whitespace from answers or something like that
I mean, I'm not sure this is a security hole. You need to be an administrator to perform this. You can already change anyone's password if you're an administrator. The only problem with not hashing the answers is that an administrator can read them - and your answers should probably not contain sensitive information. So while they don't increase security, I'm not sure that they decrease it at all.
Many people lose their passwords and get saved by security questions. Which only someone with your computer can answer.
@@MuhammadDaniyal-wk3hp Nonsense. If you lose your password just reset it. All you need is any usb drive with windows on it. You don't need security questions.
These experiments are always great lol, just like bashing MS outright.
They really seem to be a security vulnerability in themselves, but oh well. Anyway, hope you have fun with your other projects as well
Video idea: bricking a windows system by flipping a single bit of
Do.... not... use....... Windows at all
@@saveliyivanov9943 use macos instead 😅
@@Checkm8ra1n nah linux is better
@@Checkm8ra1n for most work, yeah, none of the companies should use windows.. its so unsecure..
@@Checkm8ra1n fuck macos
Templeos supremacy fr fr :fire:
That first zaglo one may be useful to outright dissble the questions
This really surpass all the security breach with generic questions easy to decrypt
Now with this is more hard find these questions
If you don’t want to set up security questions, do the following:
1: Don’t set a password.
2: Press Shift + F10 to open Cmd.
3: Type net user (username) (password) followed by Enter.
4: Complete the setup like normal. When finished, you may see an error message. Ignore it and log in. This will also skip the “Preparing Windows” message.
For anyone saying windows 11 is bad i didnt got the telemetry thing and i didnt get aerformance drop,i guess thats good
Darn... This is quite cool from malware standpoint I must say... not for usual user, though! :D
Thanks for the video!
"Don't use Windows security questions"
"Don't use windows" was enough for me
Can you do full Command prompt guide I think its cool and I don’t feel like searching every single detail and I would not even know what to search
1:24 they even used to force people to set up these, which really sucks for this plaintext security thing
14:00 I love how Windows doesn't even warn you, when you've reused the same or older password. Which is usually a Microsoft thing. 😅🤣
#BrokenW11
11:50 i love that
Love your voice man, where are you from?
@@eliaskerlin5465 Russia
Same OOBE error happened to me, the date was correct though
Probably an ambiguous region was selected during initial ISO setup, like English Europe.
@@R1ch4rdworked eventually though? I didn’t do anything at all and it just did
@@jam06 it eventually works, that's correct, but the error still persists.
2:49 you definitely dont want magic to happen when you are an sorcerer on your own
Only a minute left!
i saw you at his telegram channel xd
Приятно слышать тебя в добром здравии. Успехов!
holy enderman is on a uploading rampage
You can always use a Nokia 6303i Classic and watch your videos by encoding them in H264, making them 240x320 and 10fps at 3gp format. Trust me it is more fascinating than you think.
your accent improving overtime
cool
That OOBE speedrun plus hi-bye😂
I Like Your Videos, Enderman. It is Interesting
Cool!
Here before the Enderman gets restricted by Google once again
16:22 Жду чтобы это было в NoEscape 🔥
I mean, if any service uses system rights to compromise your user account, they would already have access to the whole system...
i can now troll my friends with security questions
wait its literally FORCED I CANT NOT ADD SECURITY QUESTIONS i want my mac back
Honestly, I think this means the only reasonable answer to a security question is the entire song text of "never gonna give you up" (or as much that fits). That way, if someone hacks you, at least you Rickroll them.
Windows Security Questions: Hi
Enderman: GO AWAY YOUR USELESS
Windows Security Questions: 😭😭😭
Remember guys, password in the system without any encryption is the password to prevent your toddler accessing the PC or to prevent your random classmates from googling black-orange TH-cam when you don’t look at the laptop
Reminds me of how GD stores your password in your save file in plain text
you still have to decrypt ur save file ig lol
@@SOTP. It's not encrypted, just compressed with gzip
@@9vlc pretty sure it also uses xor and uses base64
jokes on windows back when it tried to make me use security questions i skipped making a password and made a password/passcode instead through control panel so it wouldnt give me the option to use security questions
The internet would be fixed if
A : They let you make a local account
Or
B : They let you make a local account
Even if they were encrypted, these security questions aren't secure at all. There is a long list of people who would know or easily find/guess all of these, including but not limited to: My cousins, my parents and most of their friends, my own friends, my grandparents, my uncles and aunts. I don't want any of them to have unrestricted access to my computer.
Wait.. people actually answer those questions accurately? I've put bogus answers for like 15 years.
I love your keyboard sounds...
4:37 how did you get it to just be toggles? I've seen that UI before but always thought it was just early W10. It looks so much easier to decline than clicking No then Next over and over. Is it a GDPR thing where they can't have it pre-ckecked so have it as options instead?
Storing security questions in plain text? What is this, Microsoft?
wasn't the password itself stored in plain text pre nt 6.0?
Oh! Watching during premiere and it’s a video where my adhd ass will actually watch it because it’s a voiceover
The reason this is mega-mega bad: An attacker could use malware to get your security questions and their answers, and there's a decent chance some people will use the same security questions, and same answers, on different services. They can use that to gain access to those accounts.
what kind of hacker would hack secret questions if they can just steal cookies and not bother at all
@@mazellovvv for sites that force you to login every time, like some banks (mine does on the website)
@@mazellovvv because sometimes sites do log you out all the time, or some do it properly and invalidate the token when someone suddenly logs in with the same session token from across the fucking planet.
@@mazellovvv true but some people don't technically know about cookie logging soo they do this
@@mazellovvv Nah, its still good to steal just in case the cookies get invalidated. It's also more information, and more info never hurts
I didn't test it because I always set my password in a way which bypasses the security question screen, but I assume they store it in plain text to make the matching case insensitive, also allow double space or whatever... Not that I would call that a good idea and say that there aren't other ways to do that like e.g., Facebook handles the password validation (checks with a few iterations)
They are probably stored in plain text to make it REALLY EASY for the NSA !
First. Love you endermanch ur videos are amazing >3 My security answers are:
Afagdhetif
shfiafh we
duagdifen
Thats how I stay safe ;)
NEW ENDERMAN VIDEO 🔥🔥🔥🗣🗣🗣
You can find owner email of a MacBook with diagnostic logs bruh
I never wanted to use them, it was oobe windows that forced me to do so