How to Protect Windows 10 by Disabling Password Recovery Questions
Password recovery questions have been included with Windows 10 for over a year, but you never know they exist if you sign in to your operating system with a Microsoft account. However, use a local account when you first install Windows, and you’ll be prompted to create three security questions that you can use to reset your password and sign in to your account – if you ever forget your credentials.
Sounds convenient, right? Unfortunately, security issues are not very important to account security, as we discussed earlier . It’s not that a hacker can guess your high school name or your dog’s middle name. Since there is no way to disable these questions by default, a single successful hack is enough for an attacker to create a new secret question on your behalf and create a permanent backdoor on your system.
This is exactly the scenario that a group of security researchers described in a recent presentation at the Black Hat Europe Security Conference, as Ars Technica writes:
“The problem, the researchers say, is that password reset questions are too easy to ask and too difficult to control on networks of hundreds or thousands of computers. One person with administrator credentials can remotely enable or modify them on any Windows 10 computer, and there is no easy way to track or modify the changes. As a result, attackers – say, a fraudster or a hacker with short-term unauthorized administrative control – can use security questions as a backdoor that secretly allows them to regain control if they ever lose control. ”
Fortunately, the researchers (Magal Baz and Tom Sela of Illusive Networks ) say they have developed a quick PowerShell script that can be used to permanently disable Windows’ built-in Q&A. Just download the .ps1 file from here , launch Powershell on your Windows 10 operating system, navigate to the folder containing the .ps1 file and enter the following to disable recovery questions:
Update-AllUsersQA
Using this command will cause a pop-up error message when you try to select the “Reset password” option on the Windows 10 login screen.
If you still want some kind of recovery option, but want to hide the fact that this feature works, try this instead (replacing “SecretAnswer” with the recovery answer you know you’ll remember):
Update-AllUsersQA -answer SecretAnswer
You will see a small warning that “This feature is disabled” when you go to retrieve your password, but you can ignore it. So secret; so safe.